Hunting for Aardvarks: Can Software Security Be Measured?

  • Martin Gilje Jaatun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7465)


When you are in charge of building software from the ground up, software security can be encouraged through the use of secure software development methodologies. However, how can you measure the security of a given piece of software that you didn’t write yourself? In other words, when looking at two executables, what does “a is more secure than b” mean? This paper examines some approaches to measuring software security, and reccommends that more organisations should employ the Building Security In Maturity Model (BSIMM).


Attack Model Security Test Agile Method Software Security Static Analysis Tool 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    CVE: Common Vulnerabilities and Exposures (CVE),
  2. 2.
    NVD: National Vulnerability Database Home,
  3. 3.
    Clemens, S.L.: Notes on ’innocents abroad’: Paragraph 20 (2010) (There are three kinds of lies: lies, damned lies, and statistics - Attributed to Disraeli),
  4. 4.
    Brooks, F.P.: The Mythical Man-Month. Addison-Wesley (1995)Google Scholar
  5. 5.
    Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: Proceedings of the 15th Conference on USENIX Security Symposium, USENIX-SS 2006, vol. 15. USENIX Association, Berkeley (2006)Google Scholar
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
    ISO/IEC 15408-1: Evaluation criteria for it security part 1: Introduction and general model (2005)Google Scholar
  11. 11.
    Eberlein, A., do Prado Leite, J.C.S.: Agile requirements definition: A view from requirements engineering. In: Proceedings of the International Workshop on Time-Constrained Requirements Engineering (TCRE 2002) (2002)Google Scholar
  12. 12.
    Beznosov, K.: eXtreme Security Engineering: On Employing XP Practices to Achieve ”Good Enough Security” without Defining It. In: Proceedings of the First ACM Workshop on Business Driven Security Engineering, BizSec (2003)Google Scholar
  13. 13.
    Wäyrynen, J., Bodén, M., Boström, G.: Security Engineering and eXtreme Programming: An Impossible Marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117–128. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of New Security Paradigms Workshop, Nova Scotia, Canada (2004)Google Scholar
  15. 15.
    Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of Hawaii International Conference on System Sciences (2005)Google Scholar
  16. 16.
    Poppendieck, M., Morsicato, R.: XP in a Safety-Critical Environment. Cutter IT Journal 15, 12–16 (2002)Google Scholar
  17. 17.
    Kongsli, V.: Towards agile security in web applications. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA 2006, pp. 805–808. ACM, New York (2006)CrossRefGoogle Scholar
  18. 18.
    McGraw, G., Steven, J.: Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (2011)Google Scholar
  19. 19.
    Jensen, J.: A Novel Testbed for Detection of Malicious Software Functionality. In: Proceedings of Third International Conference on Availability, Security, and Reliability (ARES 2008), pp. 292–301 (2008)Google Scholar
  20. 20.
    Miller, B., Fredriksen, L., So, B.: An empirical study of the reliability of unix utilities. Communications of the ACM 33(12) (1990)Google Scholar
  21. 21.
    McGraw, G., Chess, B., Migues, S.: Building Security In Maturity Model (BSIMM 3) (2011)Google Scholar
  22. 22.
    Doyle, A.C.: Memoirs of Sherlock Holmes,
  23. 23.
    McGraw, G.: Software Security: Building Security. Addison-Wesley (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Martin Gilje Jaatun
    • 1
  1. 1.Department of Software Engineering, Safety and SecuritySINTEF ICTTrondheimNorway

Personalised recommendations