search menu icon-carat-right cmu-wordmark

Integrated Measurement and Analysis Framework for Software Security

Technical Note
In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2010-TN-025
DOI (Digital Object Identifier)
10.1184/R1/6574565.v1

Abstract

In today’s business and operational environments, multiple organizations routinely work collaboratively to acquire, develop, deploy, and maintain technical capabilities via a set of interdependent, networked systems. Measurement in these distributed management environments can be an extremely challenging problem. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute (SEI), is developing the Integrated Measurement and Analysis Framework (IMAF) to enable effective measurement in distributed environments, including acquisition programs, supply chains, and systems of systems. The IMAF defines an approach that integrates subjective and objective data from multiple sources (targeted analysis, reports, and tactical measurement) and provides decision makers with a consolidated view of current conditions. This report is the first in a series that addresses how to measure software security in complex environments. It poses several research questions and hypotheses and presents a foundational set of measurement concepts. It also describes how meaningful measures provide the information that decision makers need when they need it and in the right form. Finally, this report provides a conceptual overview of the IMAF, describes methods for qualitatively and quantitatively collecting data to inform the framework, and suggests how to use the IMAF to derive meaningful measures for analyzing software security performance.

Related Links

Deriving Software Security Measures from Information Security Standards of Practice

Risk-Based Measurement and Analysis: Application to Software Security

Cite This Technical Note

Alberts, C., Allen, J., & Stoddard, R. (2010, September 1). Integrated Measurement and Analysis Framework for Software Security. (Technical Note CMU/SEI-2010-TN-025). Retrieved February 21, 2024, from https://doi.org/10.1184/R1/6574565.v1.

@techreport{alberts_2010,
author={Alberts, Christopher and Allen, Julia and Stoddard, Robert},
title={Integrated Measurement and Analysis Framework for Software Security},
month={Sep},
year={2010},
number={CMU/SEI-2010-TN-025},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574565.v1},
note={Accessed: 2024-Feb-21}
}

Alberts, Christopher, Julia Allen, and Robert Stoddard. "Integrated Measurement and Analysis Framework for Software Security." (CMU/SEI-2010-TN-025). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 1, 2010. https://doi.org/10.1184/R1/6574565.v1.

C. Alberts, J. Allen, and R. Stoddard, "Integrated Measurement and Analysis Framework for Software Security," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2010-TN-025, 1-Sep-2010 [Online]. Available: https://doi.org/10.1184/R1/6574565.v1. [Accessed: 21-Feb-2024].

Alberts, Christopher, Julia Allen, and Robert Stoddard. "Integrated Measurement and Analysis Framework for Software Security." (Technical Note CMU/SEI-2010-TN-025). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Sep. 2010. https://doi.org/10.1184/R1/6574565.v1. Accessed 21 Feb. 2024.

Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Integrated Measurement and Analysis Framework for Software Security. CMU/SEI-2010-TN-025. Software Engineering Institute. 2010. https://doi.org/10.1184/R1/6574565.v1