Software Security Measurement and Analysis
Decision makers (such as development and acquisition program and project
managers) lack confidence in the security of their software-reliant systems
unless they have established methods to measure this security. We address this need through the Software Security Measurement and Analysis (SSMA) project.
Our main goal is to develop a risk-based approach for
measuring and monitoring the security characteristics of interactively
complex, software-reliant systems across the life cycle and supply chain. To
help achieve this goal, we have developed the SEI Integrated
Measurement and Analysis Framework (IMAF) and the SEI Mission Risk Diagnostic
SEI Integrated Measurement and Analysis Framework (IMAF)
Decision makers often have trouble “connecting the dots” among
the detailed, disparate data available from interactively complex
systems. As a result, they can find it difficult to understand a
system’s macro-level behavior.
The IMAF integrates performance data for individual components, including
targeted analysis, status reporting, and measurement activities, to provide a
consolidated view of the performance of software-reliant systems. The IMAF can
also highlight where additional data need to be collected.
You can apply the framework in a variety of contexts, including software
security, operational security, acquisition program management, and software
SEI Mission Risk Diagnostic (MRD)
The Mission Risk Diagnostic is a versatile method for assessing risk in
interactively complex software-reliant systems that can be applied across the
life cycle (acquisition, development, operations) and supply chain. It
analyzes a set of systemic risk factors to aggregate decision-making data and
provides decision makers with a benchmark of a systems current state. The
resulting gap between a system’s current and desired states points to
specific areas where additional investment is warranted.
The SEI staff has used the MRD method to assess risk in a variety
of domains, including software security, supply chain assurance, cyber
security processes, software acquisition and development programs, and
business portfolio management.
How We Can Help You
Our staff can
- conduct an expert-led risk assessment of your critical systems
using the MRD
- teach you how to perform risk self-assessments using the MRD
- develop a customized risk assessment that meets your unique
- develop risk models and simulations
- identify software security measures using the IMAF
- develop custom risk management and measurement solutions to help meet
your software security needs
For more information, contact us at info [@] sei.cmu.edu.