Software Security Measurement and Analysis

Network Analysis Network Situational Awareness
Engineering Solutions Cyber Security Engineering Software Assurance Curriculum Security Quality Requirements Engineering (SQUARE)

Publications Catalog Historical Documents CMU Heinz College CMU School of Computer Science

Software Security Measurement and Analysis

Without established methods to measure how secure software is, decision makers (for example, development and acquisition program and project managers) lack confidence in the security of their software-reliant systems. We are addressing this need through the Software Security Measurement and Analysis (SSMA) project.

Through this project, we are exploring how to use risk analysis to direct an organization’s software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the life cycle and supply chain. To help achieve this goal, the project team has developed the SEI Integrated Measurement and Analysis Framework (IMAF) and the SEI Mission Risk Diagnostic (MRD).

SEI Integrated Measurement and Analysis Framework (IMAF)

Decision makers often have trouble “connecting the dots” among the very detailed, disparate data available from interactively complex systems. As a result, decision makers can find it difficult to understand a system’s macro-level behavior.

The IMAF helps decision makers by integrating performance data for individual components, including targeted analysis, status reporting, and measurement activities, to provide a consolidated view of the performance of software-reliant systems. The IMAF can also highlight where additional data need to be collected. The framework is designed for application in a variety of contexts, including software security, operational security, acquisition program management, and software development.

SEI Mission Risk Diagnostic (MRD)

Traditional, tactical risk assessments decompose a system into individual components and then analyze potential failure modes of only the most critical components. As a result, tactical risk assessments provide an incomplete view of risk and are insufficient for establishing confidence in the security of software-reliant systems.

The MRD analyzes the risk to the system as a whole, providing a comprehensive view of the overall risk to a system’s mission. The MRD has proven to be effective for establishing confidence in the security characteristics of software-reliant systems across the life cycle and supply chain. The MRD method has been used by SEI staff to assess risk in a variety of problem spaces, including software security, supply chain assurance, cyber security processes, software acquisition and development programs, and business portfolio management.

Products and Services

We offer the following products and services to help decision makers measure the security of software systems. For more information, contact us at info [@] sei.cmu.edu.

Risk Assessments: CERT staff can perform MRD risk assessments for customers.
Software Security Measure Identification: CERT staff can apply the IMAF in a customer setting to identify software security measures.
Training: CERT staff can deliver the one-day MRD Method training at a customer’s site.
Custom Solutions: CERT staff can develop custom risk management and measurement solutions to help customers meet their software security needs.

Resources

Last updated February 27, 2012