Measuring Software Security from the Design of Software

Proceedings of the 18th International Conference on Computer Systems and Technologies Pub Date : 2017-06-23 DOI:10.1145/3134302.3134334

Marko Saarela, Shohreh Hosseinzadeh, S. Hyrynsalmi, V. Leppänen

{"title":"Measuring Software Security from the Design of Software","authors":"Marko Saarela, Shohreh Hosseinzadeh, S. Hyrynsalmi, V. Leppänen","doi":"10.1145/3134302.3134334","DOIUrl":null,"url":null,"abstract":"With the increasing use of mobile phones in contemporary society, more and more networked computers are connected to each other. This has brought along security issues. To solve these issues, both research and development communities are trying to build more secure software. However, there is the question that how the secure software is defined and how the security could be measured. In this paper, we study this problem by studying what kinds of security measurement tools (i.e. metrics) are available, and what these tools and metrics reveal about the security of software. As the result of the study, we noticed that security verification activities fall into two main categories, evaluation and assurance. There exist 34 metrics for measuring the security, from which 29 are assurance metrics and 5 are evaluation metrics. Evaluating and studying these metrics, lead us to the conclusion that the general quality of the security metrics are not in a satisfying level that could be suitably used in daily engineering work flows. They have both theoretical and practical issues that require further research, and need to be improved.","PeriodicalId":131196,"journal":{"name":"Proceedings of the 18th International Conference on Computer Systems and Technologies","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Computer Systems and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3134302.3134334","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

With the increasing use of mobile phones in contemporary society, more and more networked computers are connected to each other. This has brought along security issues. To solve these issues, both research and development communities are trying to build more secure software. However, there is the question that how the secure software is defined and how the security could be measured. In this paper, we study this problem by studying what kinds of security measurement tools (i.e. metrics) are available, and what these tools and metrics reveal about the security of software. As the result of the study, we noticed that security verification activities fall into two main categories, evaluation and assurance. There exist 34 metrics for measuring the security, from which 29 are assurance metrics and 5 are evaluation metrics. Evaluating and studying these metrics, lead us to the conclusion that the general quality of the security metrics are not in a satisfying level that could be suitably used in daily engineering work flows. They have both theoretical and practical issues that require further research, and need to be improved.

查看原文本刊更多论文

从软件设计角度衡量软件安全性

随着手机在当代社会的使用越来越多，越来越多的联网计算机相互连接。这带来了安全问题。为了解决这些问题，研究和开发团体都在努力构建更安全的软件。然而，存在一个问题，即如何定义安全软件以及如何度量安全性。在本文中，我们通过研究哪些类型的安全度量工具(即度量)是可用的，以及这些工具和度量揭示了关于软件安全性的什么来研究这个问题。作为研究的结果，我们注意到安全核查活动分为两大类，即评价和保证。存在34个度量安全性的度量，其中29个是保证度量，5个是评估度量。评估和研究这些度量标准，使我们得出这样的结论，即安全度量标准的总体质量没有达到令人满意的水平，无法在日常工程工作流程中适当地使用。这其中既有理论问题，也有实践问题，需要进一步研究和完善。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 18th International Conference on Computer Systems and Technologies

自引率

0.00%

发文量