search menu icon-carat-right cmu-wordmark

Cybersecurity Engineering Research: Cybersecurity Quality Metrics Collection

This research evaluates the feasibility of using 1) using software quality models to improve software security and 2) available data to calibrate a specialized quality model to track and forecast security defects.

Software Engineering Institute


Security is difficult to measure and even harder to predict. Quality is one area where predictive capability has been successfully applied. Although high quality code is not necessarily secure, poor quality code cannot be secure; therefore, some minimum level of quality software may be considered necessary to achieve secure code. There is general agreement that good quality is an essential condition for software with security requirements; however, the level of necessary quality is an open question. A connection between quality flaws and security flaws has been observed. Research indicates that 1-5% of defects will end up as vulnerabilities.

Advanced software quality management models now exist that are capable of economically producing software that is an order of magnitude higher quality than current critical systems. These projects indicate early efforts to address safety and security with good operational results.

Our research is determining how software quality models can be specialized for security to increase confidence that software can be sufficiently secure and function as intended. We postulate that quality results below a "to be determined" quality threshold provide sufficient evidence that improves confidence for security and results above that threshold provide evidence that operational security would be uncertain.

Collection Items