Title :
Defining an adaptive software security metric from a dynamic software failure tolerance measure
Author :
Voas, J. ; Ghosh, A. ; McGraw, G. ; Charron, F. ; Miller, K.
Author_Institution :
Reliable Software Technol., Sterling, VA, USA
Abstract :
This paper describes a software assessment method that is being implemented to quantitatively assess information system security and survivability. Our approach-which we call Adaptive Vulnerability Analysis-exercises software (in source-code form) by simulating incoming malicious and non-malicious attacks that fall under various threat classes. A quantitative metric is computed by determining whether the simulated threats undermine the security of the system as defined by the user according to the application program. This approach stands in contrast to common security assurance methods that rely on black-box techniques for testing completely-installed systems. AVA does not provide an absolute metric, such as mean-time-to-failure, but instead provides a relative metric, allowing a user to compare the security of different versions of the same system, or to compare non-related systems with similar functionality
Keywords :
computer crime; program verification; security of data; software metrics; adaptive software security metric; adaptive vulnerability analysis; dynamic software failure tolerance measure; exercises software; functionality; information system security; quantitative metric; relative metric; security assurance methods; software assessment method; source-code form; survivability; threat classes; Analytical models; Application software; Computational modeling; Computer science; Computer security; Information security; Software engineering; Software measurement; Software performance; System testing;
Conference_Titel :
Computer Assurance, 1996. COMPASS '96, Systems Integrity. Software Safety. Process Security. Proceedings of the Eleventh Annual Conference on
Conference_Location :
Gaithersburg, MD
Print_ISBN :
0-7803-3390-X
DOI :
10.1109/CMPASS.1996.507892
