Measuring software security from the design of software
Saarela, Marko (2016-02-05)
Measuring software security from the design of software
(05.02.2016)
Turun yliopisto
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe201602054904
https://urn.fi/URN:NBN:fi-fe201602054904
Kuvaus
Siirretty Doriasta
Tiivistelmä
The vast majority of our contemporary society owns a mobile phone, which has
resulted in a dramatic rise in the amount of networked computers in recent
years. Security issues in the computers have followed the same trend and nearly
everyone is now affected by such issues. How could the situation be improved?
For software engineers, an obvious answer is to build computer software with
security in mind.
A problem with building software with security is how to define secure software
or how to measure security. This thesis divides the problem into three research
questions. First, how can we measure the security of software? Second, what
types of tools are available for measuring security? And finally, what do these
tools reveal about the security of software? Measuring tools of these kind are
commonly called metrics.
This thesis is focused on the perspective of software engineers in the software
design phase. Focus on the design phase means that code level semantics or
programming language specifics are not discussed in this work. Organizational
policy, management issues or software development process are also out of the
scope. The first two research problems were studied using a literature review
while the third was studied using a case study research. The target of the case
study was a Java based email server called Apache James, which had details from
its changelog and security issues available and the source code was accessible.
The research revealed that there is a consensus in the terminology on software
security. Security verification activities are commonly divided into evaluation
and assurance. The focus of this work was in assurance, which means to verify
one’s own work. There are 34 metrics available for security measurements, of
which five are evaluation metrics and 29 are assurance metrics.
We found, however, that the general quality of these metrics was not good. Only
three metrics in the design category passed the inspection criteria and could
be used in the case study. The metrics claim to give quantitative information
on the security of the software, but in practice they were limited to evaluating
different versions of the same software. Apart from being relative, the
metrics were unable to detect security issues or point out problems in the
design. Furthermore, interpreting the metrics’ results was difficult.
In conclusion, the general state of the software security metrics leaves a lot
to be desired. The metrics studied had both theoretical and practical issues,
and are not suitable for daily engineering workflows. The metrics studied
provided a basis for further research, since they pointed out areas where the
security metrics were necessary to improve whether verification of security
from the design was desired.
resulted in a dramatic rise in the amount of networked computers in recent
years. Security issues in the computers have followed the same trend and nearly
everyone is now affected by such issues. How could the situation be improved?
For software engineers, an obvious answer is to build computer software with
security in mind.
A problem with building software with security is how to define secure software
or how to measure security. This thesis divides the problem into three research
questions. First, how can we measure the security of software? Second, what
types of tools are available for measuring security? And finally, what do these
tools reveal about the security of software? Measuring tools of these kind are
commonly called metrics.
This thesis is focused on the perspective of software engineers in the software
design phase. Focus on the design phase means that code level semantics or
programming language specifics are not discussed in this work. Organizational
policy, management issues or software development process are also out of the
scope. The first two research problems were studied using a literature review
while the third was studied using a case study research. The target of the case
study was a Java based email server called Apache James, which had details from
its changelog and security issues available and the source code was accessible.
The research revealed that there is a consensus in the terminology on software
security. Security verification activities are commonly divided into evaluation
and assurance. The focus of this work was in assurance, which means to verify
one’s own work. There are 34 metrics available for security measurements, of
which five are evaluation metrics and 29 are assurance metrics.
We found, however, that the general quality of these metrics was not good. Only
three metrics in the design category passed the inspection criteria and could
be used in the case study. The metrics claim to give quantitative information
on the security of the software, but in practice they were limited to evaluating
different versions of the same software. Apart from being relative, the
metrics were unable to detect security issues or point out problems in the
design. Furthermore, interpreting the metrics’ results was difficult.
In conclusion, the general state of the software security metrics leaves a lot
to be desired. The metrics studied had both theoretical and practical issues,
and are not suitable for daily engineering workflows. The metrics studied
provided a basis for further research, since they pointed out areas where the
security metrics were necessary to improve whether verification of security
from the design was desired.