Risk-Based Measurement and Analysis: Application to Software Security
• Technical Note
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2012-TN-004DOI (Digital Object Identifier)
10.1184/R1/6583493.v1Abstract
For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT® Program at Carnegie Mellon University’s Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization’s software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.
Related Links
Part of a Collection
Cybersecurity Engineering Research: Software Assurance Measurement and Analysis Collection
Cybersecurity Engineering Research: Cybersecurity Quality Metrics Collection
Cite This Technical Note
Alberts, C., Allen, J., & Stoddard, R. (2012, February 1). Risk-Based Measurement and Analysis: Application to Software Security. (Technical Note CMU/SEI-2012-TN-004). Retrieved December 26, 2024, from https://doi.org/10.1184/R1/6583493.v1.
@techreport{alberts_2012,
author={Alberts, Christopher and Allen, Julia and Stoddard, Robert},
title={Risk-Based Measurement and Analysis: Application to Software Security},
month={{Feb},
year={{2012},
number={{CMU/SEI-2012-TN-004},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6583493.v1},
note={Accessed: 2024-Dec-26}
}
Alberts, Christopher, Julia Allen, and Robert Stoddard. "Risk-Based Measurement and Analysis: Application to Software Security." (CMU/SEI-2012-TN-004). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, February 1, 2012. https://doi.org/10.1184/R1/6583493.v1.
C. Alberts, J. Allen, and R. Stoddard, "Risk-Based Measurement and Analysis: Application to Software Security," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2012-TN-004, 1-Feb-2012 [Online]. Available: https://doi.org/10.1184/R1/6583493.v1. [Accessed: 26-Dec-2024].
Alberts, Christopher, Julia Allen, and Robert Stoddard. "Risk-Based Measurement and Analysis: Application to Software Security." (Technical Note CMU/SEI-2012-TN-004). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Feb. 2012. https://doi.org/10.1184/R1/6583493.v1. Accessed 26 Dec. 2024.
Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Risk-Based Measurement and Analysis: Application to Software Security. CMU/SEI-2012-TN-004. Software Engineering Institute. 2012. https://doi.org/10.1184/R1/6583493.v1