search menu icon-carat-right cmu-wordmark

The Measurement Challenges in Software Assurance and Supply Chain Risk Management

White Paper
This paper recommends an approach for developing and evaluating cybersecurity metrics for open source and other software in the supply chain.

Software Engineering Institute


In this paper, the authors discuss the metrics needed to predict cybersecurity in open source software and how standards are needed to make it easier to apply these metrics in the supply chain. The authors provide examples of potentially useful metrics and underscore the need for data collection and analysis to validate the metrics. They assert that defining metrics, collecting and analyzing data to illustrate their utility, and using standard methods requires unbiased collaborative work to achieve the desired results.