Taxonomy of quality metrics for assessing assurance of security correctness

Authors:
Moussa Ouedraogo;Reijo M. Savola;Haralambos Mouratidis;David Preston;Djamel Khadraoui;Eric Dubois
Affiliations:
Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, Kirchberg, Luxembourg 1855 and School of Architecture, Computing and Engineering, University of East London, Lo ...;VTT Technical Research Centre of Finland, Oulu, Finland;School of Architecture, Computing and Engineering, University of East London, London, UK;School of Architecture, Computing and Engineering, University of East London, London, UK;Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, Kirchberg, Luxembourg 1855;Service Science and Innovation Department (SSI), Public Research Center Henri Tudor, Kirchberg, Luxembourg 1855
Venue:
Software Quality Control
Year:
2013

Citing 26
Cited 0

Pretty good assurance

NSPW '95 Proceedings of the 1995 workshop on New security paradigms
Hack I.T.: security through penetration testing

Hack I.T.: security through penetration testing
Software Metrics: A Rigorous and Practical Approach

Software Metrics: A Rigorous and Practical Approach
Towards a Framework for Software Measurement Validation

IEEE Transactions on Software Engineering
A Practical Approach to Measuring Assurance

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Information Assurance Measures and Metrics " State of Practice and Proposed Taxonomy

HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
A CC-based Security Engineering Process Evaluation Model

COMPSAC '03 Proceedings of the 27th Annual International Conference on Computer Software and Applications
A Quantitative Study of Firewall Configuration Errors

Computer
Scenario graphs and attack graphs

Scenario graphs and attack graphs
On the Brittleness of Software and the Infeasibility of Security Metrics

IEEE Security and Privacy
A New Evaluation Strategy Based on Combining CC and SSE-CMM for Security Systems and Products

GCC '06 Proceedings of the Fifth International Conference on Grid and Cooperative Computing
Requirements Engineering

Requirements Engineering
Number of Faults per Line of Code

IEEE Transactions on Software Engineering
Towards a taxonomy for information security metrics

Proceedings of the 2007 ACM workshop on Quality of protection
A Near Real-Time System for Security Assurance Assessment

ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles

Journal of Systems and Software
On the effectiveness of early life cycle defect prediction with Bayesian Nets

Empirical Software Engineering
Security compliance: the next frontier in security research

Proceedings of the 2008 workshop on New security paradigms
On the Operational Security Assurance Evaluation of Networked IT Systems

NEW2AN '09 and ruSMART '09 Proceedings of the 9th International Conference on Smart Spaces and Next Generation Wired/Wireless Networking and Second Conference on Smart Spaces
Multi-agent based security assurance monitoring system for telecommunication infrastructures

CNIS '07 Proceedings of the Fourth IASTED International Conference on Communication, Network and Information Security
Secure Systems Development with UML

Secure Systems Development with UML
Structured Assurance Case Methodology for Assessing Software Trustworthiness

SSIRI-C '10 Proceedings of the 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion
The irreversible march of technology

Information Security Tech. Report
An Attack Surface Metric

IEEE Transactions on Software Engineering
Assessing the maintainability of software product line feature models using structural metrics

Software Quality Control
Appraisal and reporting of security assurance at operational systems level

Journal of Systems and Software

Quantified Score

Hi-index	0.00

Visualization

Abstract

Assurance is commonly considered as "something said or done to inspire confidence" (Webster dictionary). However, the level of confidence inspired from a statement or an action depends on the quality of its source. Similarly, the assurance that the deployed security mechanisms exhibit an appropriate posture depends on the quality of the verification process adopted. This paper presents a novel taxonomy of quality metrics pertinent for gaining assurance in a security verification process. Inspired by the systems security engineering capability maturity model and the common criteria, we introduce five ordinal quality levels for a verification process aimed at probing the correctness of runtime security mechanisms. In addition, we analyse the mapping between the quality levels and different capability levels of the following verification metrics families: coverage, rigour, depth and independence of verification. The quality taxonomy is part of a framework for the Security Assurance of operational systems. These metrics can also be used for gaining assurance in other areas such as legal and safety compliance. Furthermore, the resulting metrics taxonomy could, by identifying appropriate quality security requirements, assist manufacturers of information technology (IT) in developing their products or systems. Additionally, the taxonomy could also empower consumers in IT security product selection to efficaciously and effectively match their organisational needs, while IT security evaluators can use it as a reference point when forming judgments about the quality of a security product. We demonstrate the applicability of the proposed taxonomy through access control examples.