A Phase-wise Review of Software Security Metrics

  • Syed Anas AnsarEmail author
  • Alka
  • Raees Ahmad Khan
Conference paper
Part of the Lecture Notes on Data Engineering and Communications Technologies book series (LNDECT, volume 4)


Integrating security at each phase of the software Development Life cycle (SDLC) has become an urgent need. Moreover, security must not be overlooked at early phases of SDLC. This helps to minimize cost and efforts for later phase of the life cycle. In addition, software security metrics are the tools to judge level of security of software. Without the use of the metrics, no one can ensure the usefulness of any approach which claims to improve security of the software. The paper presents a phase-wise review of security metrics and the issues in their adaptation. Though there are security metrics available for each phase of the software development life cycle, their usefulness in the software industry or in research is in question without their validation. In addition, a concrete research is needed to develop security metrics at early phases of software development life cycle.


Software security Security metrics Software development life cycle 



This work is sponsored by UGC-MRP, New Delhi, India under F. No. 43-391/ 2014 (SR)


  1. 1.
    McGraw, G.: “Software Security”:Building Security In. (Addison-Wesly, 2006)Google Scholar
  2. 2.
    Islam, S. Falcarin, P.: Measuring Security Requirements for Software Security. In 10th International Conference on Cybernetic Intelligent Systems (CIS), ISBN 978-1-4673-0687-4, Doi  10.1109/CIS.2011.6169137, pp. 70-75, IEEE, (2011)
  3. 3.
    McGraw, G., Potter, B.: Software Security Testing [J]. IEEE Security & Privacy, 2(5):81–85, (2004)Google Scholar
  4. 4.
    Herrmann, D.S.: Complete Guide to Security And Privacy Metrics. Auerbach Publications, ISBN: 0-8493-5402-1. (2007)Google Scholar
  5. 5.
    Swanson, M., Bartol, N., Sabato, J., Hash, J., and Graffo, L.: Security Metrics Guide For Information Technology Systems. NIST Special Publication 800–55, National Institute Of Standards And Technology, (2003)Google Scholar
  6. 6.
    Chaula, J. A., Yngstrom, L., and Kowalski, S.: Security Metrics And Evolution Of Information Systems Security. In Proc. of the 4th Annual Conference on Information Security For South Africa, (2004)Google Scholar
  7. 7.
    Payne, S. C.: A guide To Security Metrics. (2001)Google Scholar
  8. 8.
    Goodman, P.: Software Metrics: Best Practices For Successful IT Management. (2004)Google Scholar
  9. 9.
    Alshammari, B., Fridge, C., Corney, D.: “Developing Secure System: A Comparative Study of Existing Methodologies”. Lecture Notes on Software Engineering, vol.2, no.2, may 2016, pp: 139–146, doi:  10.7763/LNSE.2016.V4.239
  10. 10.
    Lim, DE., Kim, TS.: Modelling Discovery and Removal of Security Vulnerabilities in Software System Using Priority Queuing Models. Journal of Computer Virology and Hacking Techniques, Springer, 10: 109–114,DOI  10.1007/s11416-014-0205-z, (2014)
  11. 11.
    Abdulrazeg, A. A., Norwani, N. Md., Basir, N.: Security Metrics to Improve Misuse Case Model. International conference on Cyber Security, Cyber Warfare and Digital Forensic, ISBN 978-1-4673-1425-1, Doi  10.1109/CyberSec.2012.6246129, pp. 94–99, IEEE, (2012)
  12. 12.
    Joh, HC., Malaiya, Y. K.: A Framework for Software Security Risk Evaluation Using the Vulnerability Lifecycle And CVSS Metrics. Proc. International Workshop on Risk and Trust in Extended Enterprises, pp. 430–434 (2010)Google Scholar
  13. 13.
    Savola, R. M.: A security Metrics Development Method for Software Intensive Systems. Advances in Information Security and its Application, Communications in Computer and Information Science, 2009, Volume 36, pp. 11-16,Springer, (2009)Google Scholar
  14. 14.
    Wang, J. A., Wang, H., Guo, M., Xia, M.: Security Metrics for Software Systems. In the Proc. Of ACMSE, March 19–21, Clemson, SC, USA, (2009)Google Scholar
  15. 15.
    Hadvi, M. A., Sangchi, H. M., Hamishagi, V. S., Shirazi, H.: Software Security; A Vulnerability-Activity Revisit. Third International conference on Availability, Reliability, and Security, ISBN 978-0-7695-3102-1, Doi10.1109/ARES.2008.200 IEEE, (2008)Google Scholar
  16. 16.
    Payne, S. C.: “A Guide to Security Metrics”. SANS Institute 2007. Available at: Last visit Aug. 22 2016.
  17. 17.
    Alhazmi, O. H., Malaiya, Y. K., Ray, I.: Measuring, Analysing, and Predicting Security Vulnerabilities in Software Systems. Computers and Security Journals, pp. 219–228, (2007)Google Scholar
  18. 18.
    Manadhata, P. K and Wing, J. M.: An Attack Surface Metric. Technical Report. School of Computer Science, Carnegie Mellon University (CMU). CMU-CS-05-155, (2005)Google Scholar
  19. 19.
    Jain, S., Ingle, M.: Security Metrics and Software Development Progression. Journal of Engineering Research and Applications, ISSN: 2248–9622, Vol. 4, Issue 5 (Version 7), pp. 161–167, (2014)Google Scholar
  20. 20.
    Sultan, K., En-Nouaary, A., H-Lhadj, A.: Catalog for Assessing Risks of Software Throughout the Software Development Life Cycle. In the Proc. of International Conference on Information Security and Assurance, pp. 461–465, IEEE, (2008)Google Scholar
  21. 21.
    Agarwal, A., Khan, R. A.: Assessing Impact of Cohesion on Security- An object Oriented Design Perspective. vol 76, No. 2, pp. 144–155, Pensee Journal, (2014)Google Scholar
  22. 22.
    Alshammari, B., Fridge, C., Corney, D.: Security Metrics for Object-Oriented Designs. Proc. 21st Australian software Engineering Conference, IEEE Press, pp. 55–64, 10.1109/ASWE(2010)
  23. 23.
    Agarwal, A., Khan, R. A.: Role of Coupling in Vulnerability Propagation Object Oriented Design Perspective. Software Engineering: An International Journal (SEIJ), Vol. 2, No. 1, pp. 60–68, (2012)Google Scholar
  24. 24.
    Alshammari, B., Fridge, C., Corney, D.: Security Metrics for Object-Oriented Class Designs. In proceedings of the Ninth International Conference on Quality software (QSIC), IEEE, (2009)Google Scholar
  25. 25.
    Chowdhury, I., Chan, B., Zulkerine, M.: Security Metrics for Source Code Structures. In Proceedings of the Fourth International Workshop on Software Engineering For Secure Systems, ACM, pp. 57–64. (2008)Google Scholar
  26. 26.
    Nguyen, V. H., Tran, L.M.S.: Predicting Vulnerable Software Components with Dependency Graphs.In Proceedings of the 6th International Workshop on Security Measurements and Metrics, ISBN: 978-1-4503-0340-8, Doi:  10.1145/1853919.1853923, (2010)

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Department of ITBabasaheb Bhimrao Ambedkar UniversityLucknowIndia

Personalised recommendations