Defining an adaptive software security metric from a dynamic software failure tolerance measure

This paper describes a software assessment method that is being implemented to quantitatively assess information system security and survivability. Our approach-which we call Adaptive Vulnerability Analysis-exercises software (in source-code form) by simulating incoming malicious and non-malicious attacks that fall under various threat classes. A quantitative metric is computed by determining whether the simulated threats undermine the security of the system as defined by the user according to the application program. This approach stands in contrast to common security assurance methods that rely on black-box techniques for testing completely-installed systems. AVA does not provide an absolute metric, such as mean-time-to-failure, but instead provides a relative metric, allowing a user to compare the security of different versions of the same system, or to compare non-related systems with similar functionality