Abstract Details

<< Back to Schedule

9/26/2017  |   11:15 AM - 12:00 PM   |  Track 3 - Metrics

Security Measurement - building confidence that the system is secure

How can we establish reasonable confidence that the security for a system will meet its operational needs? The first challenge is to establish that the requirements define the appropriate security behavior and the design addresses these security concerns. The second challenge is to establish that the completed system, as built, fully satisfies the specifications. Measures to provide assurance must, therefore, address requirements, design, construction, and test. Software is a major part of every system, typically handling over 80% of the functionality, and we know that software is never defect free. According to Jones and Bonsignour, the average defect level in the U.S. is 6,000 per million lines of code (MLOC) for a high-level language. Thus, software, on average, cannot always function perfectly as intended. Additionally, we cannot establish that software is completely free from vulnerabilities since our research indicates that 5% of defects should be categorized as vulnerabilities. The SEI is researching how measurement can be applied to monitor and manage software security to frame an approach to support our confidence that a system is security. This presentation will share our progress to date.

This presentation has not yet been uploaded.

No handouts have been uploaded.

Carol Woody (Primary Presenter), Software Engineering Institute, cwoody@cert.org;
Dr. Carol Woody has been a senior member of the technical staff at the Software Engineering Institute since 2001. She is the technical manager of the CERT Cybersecurity Engineering team which addresses security and survivability throughout the acquisition and development lifecycles, especially in the early stages. Her research focuses on building capabilities for measuring, managing, and sustaining cybersecurity for highly complex networked systems and systems of systems. She has coauthored a book Cyber Security Engineering: A Practical Approach for Systems and Software Assurance published November 2016 by Pearson Education, InformIT as part of the SEI Series in Software Engineering.

2017 Sponsors: IEEE and IEEE Computer Society