Abstract
When you are in charge of building software from the ground up, software security can be encouraged through the use of secure software development methodologies. However, how can you measure the security of a given piece of software that you didn’t write yourself? In other words, when looking at two executables, what does “a is more secure than b” mean? This paper examines some approaches to measuring software security, and reccommends that more organisations should employ the Building Security In Maturity Model (BSIMM).
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
CVE: Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/
NVD: National Vulnerability Database Home, http://nvd.nist.gov
Clemens, S.L.: Notes on ’innocents abroad’: Paragraph 20 (2010) (There are three kinds of lies: lies, damned lies, and statistics - Attributed to Disraeli), http://marktwainproject.org
Brooks, F.P.: The Mythical Man-Month. Addison-Wesley (1995)
Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association, Berkeley (2006)
Geer, D.: MetriCon 1.0 Digest (2006), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0
Geer, D.: MetriCon 2.0 Digest (2007), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon2.0
Geer, D.: MetriCon 4.0 Digest (2009), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon4.0
Conway, D.: MetriCon 3.0 Digest (2008), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0
ISO/IEC 15408-1: Evaluation criteria for it security part 1: Introduction and general model (2005)
Eberlein, A., do Prado Leite, J.C.S.: Agile requirements definition: A view from requirements engineering. In: Proceedings of the International Workshop on Time-Constrained Requirements Engineering (TCRE 2002) (2002)
Beznosov, K.: eXtreme Security Engineering: On Employing XP Practices to Achieve ”Good Enough Security” without Defining It. In: Proceedings of the First ACM Workshop on Business Driven Security Engineering, BizSec (2003)
Wäyrynen, J., Bodén, M., Boström, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117–128. Springer, Heidelberg (2004)
Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of New Security Paradigms Workshop, Nova Scotia, Canada (2004)
Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of Hawaii International Conference on System Sciences (2005)
Poppendieck, M., Morsicato, R.: XP in a Safety-Critical Environment. Cutter IT Journal 15, 12–16 (2002)
Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA 2006, pp. 805–808. ACM, New York (2006)
McGraw, G., Steven, J.: Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (2011)
Jensen, J.: A Novel Testbed for Detection of Malicious Software Functionality. In: Proceedings of Third International Conference on Availability, Security, and Reliability (ARES 2008), pp. 292–301 (2008)
Miller, B., Fredriksen, L., So, B.: An empirical study of the reliability of unix utilities. Communications of the ACM 33(12) (1990)
McGraw, G., Chess, B., Migues, S.: Building Security In Maturity Model (BSIMM 3) (2011)
Doyle, A.C.: Memoirs of Sherlock Holmes, http://www.gutenberg.org/files/834/834-h/834-h.htm
McGraw, G.: Software Security: Building Security. Addison-Wesley (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jaatun, M.G. (2012). Hunting for Aardvarks: Can Software Security Be Measured?. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-32498-7_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32497-0
Online ISBN: 978-3-642-32498-7
eBook Packages: Computer ScienceComputer Science (R0)