search menu icon-carat-right cmu-wordmark

Risk-Based Measurement and Analysis: Application to Software Security

Technical Note
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2012-TN-004
DOI (Digital Object Identifier)
10.1184/R1/6583493.v1

Abstract

For several years, the software engineering community has been working to identify practices aimed at developing more secure software. Although some foundational work has been performed, efforts to measure software security assurance have yet to materialize in any substantive fashion. As a result, decision makers (e.g., development program and project managers, acquisition program offices) lack confidence in the security characteristics of their software-reliant systems. The CERT® Program at Carnegie Mellon University’s Software Engineering Institute (SEI) has chartered the Software Security Measurement and Analysis (SSMA) Project to advance the state-of-the-practice in software security measurement and analysis. The SSMA Project is exploring how to use risk analysis to direct an organization’s software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex software-reliant systems across the life cycle and supply chain. To accomplish this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and refined the SEI Mission Risk Diagnostic (MRD). This report is an update to the technical note, Integrated Measurement and Analysis Framework for Software Security (CMU/SEI-2010-TN-025), published in September 2010. This report presents the foundational concepts of a risk-based approach for software security measurement and analysis and provides an overview of the IMAF and the MRD.

Related Links

Cite This Technical Note

Alberts, C., Allen, J., & Stoddard, R. (2012, February 1). Risk-Based Measurement and Analysis: Application to Software Security. (Technical Note CMU/SEI-2012-TN-004). Retrieved April 24, 2024, from https://doi.org/10.1184/R1/6583493.v1.

@techreport{alberts_2012,
author={Alberts, Christopher and Allen, Julia and Stoddard, Robert},
title={Risk-Based Measurement and Analysis: Application to Software Security},
month={Feb},
year={2012},
number={CMU/SEI-2012-TN-004},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6583493.v1},
note={Accessed: 2024-Apr-24}
}

Alberts, Christopher, Julia Allen, and Robert Stoddard. "Risk-Based Measurement and Analysis: Application to Software Security." (CMU/SEI-2012-TN-004). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, February 1, 2012. https://doi.org/10.1184/R1/6583493.v1.

C. Alberts, J. Allen, and R. Stoddard, "Risk-Based Measurement and Analysis: Application to Software Security," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2012-TN-004, 1-Feb-2012 [Online]. Available: https://doi.org/10.1184/R1/6583493.v1. [Accessed: 24-Apr-2024].

Alberts, Christopher, Julia Allen, and Robert Stoddard. "Risk-Based Measurement and Analysis: Application to Software Security." (Technical Note CMU/SEI-2012-TN-004). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Feb. 2012. https://doi.org/10.1184/R1/6583493.v1. Accessed 24 Apr. 2024.

Alberts, Christopher; Allen, Julia; & Stoddard, Robert. Risk-Based Measurement and Analysis: Application to Software Security. CMU/SEI-2012-TN-004. Software Engineering Institute. 2012. https://doi.org/10.1184/R1/6583493.v1