Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Availability, Reliability, and Security

CD-ARES 2012: Multidisciplinary Research and Practice for Information Systems pp 85–92Cite as

  1. Home
  2. Multidisciplinary Research and Practice for Information Systems
  3. Conference paper
Hunting for Aardvarks: Can Software Security Be Measured?

Hunting for Aardvarks: Can Software Security Be Measured?

  • Martin Gilje Jaatun21 
  • Conference paper
  • 2181 Accesses

  • 12 Citations

Part of the Lecture Notes in Computer Science book series (LNISA,volume 7465)

Abstract

When you are in charge of building software from the ground up, software security can be encouraged through the use of secure software development methodologies. However, how can you measure the security of a given piece of software that you didn’t write yourself? In other words, when looking at two executables, what does “a is more secure than b” mean? This paper examines some approaches to measuring software security, and reccommends that more organisations should employ the Building Security In Maturity Model (BSIMM).

Keywords

  • Attack Model
  • Security Test
  • Agile Method
  • Software Security
  • Static Analysis Tool

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. CVE: Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/

  2. NVD: National Vulnerability Database Home, http://nvd.nist.gov

  3. Clemens, S.L.: Notes on ’innocents abroad’: Paragraph 20 (2010) (There are three kinds of lies: lies, damned lies, and statistics - Attributed to Disraeli), http://marktwainproject.org

  4. Brooks, F.P.: The Mythical Man-Month. Addison-Wesley (1995)

    Google Scholar 

  5. Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association, Berkeley (2006)

    Google Scholar 

  6. Geer, D.: MetriCon 1.0 Digest (2006), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon1.0

  7. Geer, D.: MetriCon 2.0 Digest (2007), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon2.0

  8. Geer, D.: MetriCon 4.0 Digest (2009), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon4.0

  9. Conway, D.: MetriCon 3.0 Digest (2008), http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0

  10. ISO/IEC 15408-1: Evaluation criteria for it security part 1: Introduction and general model (2005)

    Google Scholar 

  11. Eberlein, A., do Prado Leite, J.C.S.: Agile requirements definition: A view from requirements engineering. In: Proceedings of the International Workshop on Time-Constrained Requirements Engineering (TCRE 2002) (2002)

    Google Scholar 

  12. Beznosov, K.: eXtreme Security Engineering: On Employing XP Practices to Achieve ”Good Enough Security” without Defining It. In: Proceedings of the First ACM Workshop on Business Driven Security Engineering, BizSec (2003)

    Google Scholar 

  13. Wäyrynen, J., Bodén, M., Boström, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117–128. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  14. Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of New Security Paradigms Workshop, Nova Scotia, Canada (2004)

    Google Scholar 

  15. Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of Hawaii International Conference on System Sciences (2005)

    Google Scholar 

  16. Poppendieck, M., Morsicato, R.: XP in a Safety-Critical Environment. Cutter IT Journal 15, 12–16 (2002)

    Google Scholar 

  17. Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA 2006, pp. 805–808. ACM, New York (2006)

    CrossRef  Google Scholar 

  18. McGraw, G., Steven, J.: Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (2011)

    Google Scholar 

  19. Jensen, J.: A Novel Testbed for Detection of Malicious Software Functionality. In: Proceedings of Third International Conference on Availability, Security, and Reliability (ARES 2008), pp. 292–301 (2008)

    Google Scholar 

  20. Miller, B., Fredriksen, L., So, B.: An empirical study of the reliability of unix utilities. Communications of the ACM 33(12) (1990)

    Google Scholar 

  21. McGraw, G., Chess, B., Migues, S.: Building Security In Maturity Model (BSIMM 3) (2011)

    Google Scholar 

  22. Doyle, A.C.: Memoirs of Sherlock Holmes, http://www.gutenberg.org/files/834/834-h/834-h.htm

  23. McGraw, G.: Software Security: Building Security. Addison-Wesley (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Software Engineering, Safety and Security, SINTEF ICT, NO-7465, Trondheim, Norway

    Martin Gilje Jaatun

Authors
  1. Martin Gilje Jaatun
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of IT, Engineering and Environment, University of South Australia, Mawson Lakes Campus, 5001, Adelaide, SA, Australia

    Gerald Quirchmayr

  2. Department of Information Technologies, University of Economics, W. Churchill Sq. 4, 130 67, Prague 3, Czech Republic

    Josef Basl

  3. School of Information Science, Korean Bible University, 16 Danghyun 2-gil, Nowon-gu, 139-791, Seoul, Korea

    Ilsun You

  4. Information Technology and Decision Sciences, Old Dominion University, 2076 Constant Hall, 23529, Norfolk, VA, USA

    Lida Xu

  5. Institute of Software Technology and Interactive Systems, Vienna University of Technology and SBA Research, Favoritenstrsse 9-11, 1040, Vienna, Austria

    Edgar Weippl

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Jaatun, M.G. (2012). Hunting for Aardvarks: Can Software Security Be Measured?. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_7

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-32498-7_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32497-0

  • Online ISBN: 978-3-642-32498-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature