Software Security Metric Identification Framework - ACM Digital Library

International Conference on Advances in Computing, Communication and Control (ICAC3’09)

Software Security Metric Identification Framework (SSM) S. Chandra

R. A. Khan

Department of Information Technology BBA University, Raebareli Road, Lucknow, U.P., India +91-9415466832

Department of Information Technology BBA University, Raebareli Raod, Lucknow, U.P., India +91-9355326318

[email protected]

[email protected]

ABSTRACT

1.

Security improvement is the foremost concern for both industry professional and academician. Measurement is one of the most powerful techniques to control an activity. Experts are continuously trying to explore the importance of design knowledge of security. Security of object-oriented software is highly dependent on software design. In order to achieve the security, a metric to quantify the same may be used. Security metrics are high-level quantifiable measures. In order to quantify security, security metric suite is required. Several security models, security metrics, and object-oriented metrics are available in literature. But most of the metric available in literature is not validated and hence are unutilized or under utilized. In absence of any standard framework identifying validated and reliable metric, it seems to be worthwhile developing a viable framework for the development of security metric. The framework proposed in this paper, provides a systematic way to identify security metric suite and if unavailable, develop a validated design security metric

INTRODUCTION

Every sector of our life is moving towards information technology. Software is becoming inevitab le part of every organization and industry. Most of the processes are dependent on software and applications of software are growing rapidly. Now, security and quality improvement is the foremost concern for all software developer, project managers etc. Experts are continuously trying to explore the importance of design knowledge of quality and security. Several quantification methodologies are available in literature [1]. Quantitative estimation of quality based on empirical study of software is not new. Security is one of the major factors of quality. Therefore, there is possibility to quantify security based on quality quantification methodologies for object-oriented software. Object-oriented software design is the most popular design paradigm. Relationships between components are the most essential part of high-level design of software. Analysis of structure of relationships depicts the robustness of design decisions [2]. Quality and security of object-oriented software is highly dependent on design of software. It has been noticed that security experts are facing problem on making decision how much the software is secure. Only qualitative assessment of security may not be acceptable for long time. Software may be less or more secure than the other one. In spite of so many researches, security quantification is in immature stage. Security estimation of software and vulnerability prediction is still a difficult process [3].

Categories and Subject Descriptors D.2.2 [Design Tools and Techniques]: Object-oriented design methods, D.2.8 [Metrics]: Product Metric, D.2.10 [Design]: Methodologies, D2.4.6 [Security and protection]: verification, F.1.2.3 [Complexity measures and classes]: Relations among complexity measures. K.6.1. [Project and people management]: Life cycle, systems development, K.6.3 [Software management]: Software development, software process, K.6.m [Miscellaneous]: Security

Security metric is high-level quantifiable measures of software security. In order to quantify security, security metric suite is required. Several security models, security metrics, and objectoriented metrics are available in literature. Literature survey reveals the fact that no such framework is available to identify viable security metric suite. The framework presented in this paper, provides a systematic way to identify security metric suite. It further accesses the applicability of available metric suite. If it is not applicable, the framework provides a roadmap to develop a new security metric in order to achieve the set objective. Second section of the paper presents an overview of security metrics. In third section, relevant work has been discussed. In Fourth section software security estimation process has been discussed in brief. Fifth section of the paper presents the needs and objectives of the framework. Sixth section discusses the framework at length. Seventh section presents findings and future work of the proposed framework. Eighth section concludes with summarizing

General Terms Measurement, Design, Security.

Keywords Software security, Security metric, Security quantification.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICAC3’09, January 23–24, 2009, Mumbai, Maharashtra, India. Copyright 2009 ACM 978-1-60558-351-8…$5.00.

725


the developed framework to identify security metric suite in the early stage of software development life cycle.

2.

focused on vulnerability assessment of software at the systemlevel [14]. Elizabeth’s remarks on the importance of design time metrics strengthen the need and significance of carrying out the proposed work in the paper, as they stem from their ability to identify and characterize weaknesses early in the application’s life cycle, when such weaknesses cost much less to fix [15].

SECURITY METRICS

World is becoming more interconnected with and depended on software. Software provides higher facilities. Surely, efficiency of organizations and industries is improved. Industrialist and academician are more concerned for security. Different mechanisms to control security violations such as firewalls, confidentiality, and integrity and so on are essential. Nevertheless, they are not entirely sufficient, neither enough capable to provide attack resistance power to software implementation nor design. In order to provide attack resistance ability, it is essential to keep the following considerations [4, 5]. • • •

3.

4.

SOFTWARE ESTIMATION

SECURITY

Software security estimation is the process of quantitative assessment of product security. Software security estimation is a complete structured process. It is required to bring down error rates at every stage of life cycle. Minimizing error rates reduces probability of failures and cost [16]. Security modeling techniques including threat modeling and vulnerability modeling contribute to mitigate security issues [16, 17]. Design phase is the first step towards problem domain to solution domain. It is the most appropriate phase to estimate security of the software. Security estimation of software in this phase will assist to protect software from loss [18].

What could go wrong with my software? What are the problems making software vulnerable? During software development, what changes may affect application’s security?

RELEVANT WORK

It is evident from literature survey that lots of work has been done in the area of security measurement. A security metric was proposed to evaluate and rank the security criticalities of different variables in a program using attack impact injection [10], P. Mandhata introduced attack surface metric [11] and M. Howard introduced relative attack surface metric [14]. R. Savola introduced a high abstraction level taxonomy to support the developmental feasibility of security metrics [12]. R. Scandariato et. al. floated an idea of security properties of software that are quantitative in nature with regard to assessment. They further described proactive estimation of software security especially during the architecture/design phases, using suitable security metrics [13]. Some of security measurement work in literature

An integrated and prescriptive framework is proposed in [7,19]. The framework may be used in design phase in order to predict security of software in quantitative manner. Security may be assessed qualitatively based on results obtained. High Level Diagram (HLD) and Low Level Diagram (LLD) will be used as an input to the process. Security estimation process is performed in five phases. Quantitative assessment of security will provide the basis for qualitative analysis and security analysis. The framework provides roadmap to developer or end user to estimate software security in design phase. Goal of software Security Estimation Framework (SEF) is to provide high-level protection to the software and contribute to the mitigation of security failures [19].

.

Figure 1. Security Metric Identification Framework

726


Figure 2. Security Metric Identification Framework: A Detailed View

• •

5. NEEDS AND OBJECTIVES Security metrics are high-level measurements for different aspects such as process, network, software etc. Many software developers and practitioners believe that so many measures and metrics are available that may be used to predict security characteristics including penetration success rates, coupling and cohesion of security relevant software, testing defect rates, process quality and so on [20]. Defining security metrics is in its infancy stage. Therefore, well-accepted approach defining security metric is still missing [12]. Several security models, security metrics, and object-oriented metrics are available in literature. But most of the metric available in literature is not validated and hence are unutilized or under utilized. In absence of any standard framework identifying validated and reliable metric. A viable framework for delivering a security metric needs to be proposed. The objectives of the framework are:

• •

To identify the security metric requirements; To identify the software characteristics and security measures used to compute security of the software in design phase; To identify a validated set of security metric suite in design phases of software development life cycle; and To find out a way to combine software models, software characteristics, and security metric to produce an overall assessment of security.

6. THE FRAMEWORK Software runs properly only if it is fully secured against flaws, vulnerabilities, bugs, and threats. Heterogeneous architecture of software does not allow securitization of security properties at a glance. An activity cannot be controlled / managed, if it is not measured. To meet the security level, quantification of security metrics is required [21, 22, 23]. Security metrics are used to evaluate the robustness of software [24, 25]. Security metrics

727


may facilitate organizations providing decision making capabilities if they offer quantitative and objective basis for security assurance [12].

• •

6.3

By implementing security metric suite, secured software may be developed. There is constant demand for making software as efficient as possible and able to stay in competitive environment. It is required to develop security metric suite capable of analyzing security level of software. A framework is proposed to identify / design metric suite to categorize weaknesses at early stage of software development life cycle [4]. A generic framework to identify security metric is depicted in figure 1, and is performing the following tasks:

• • •

6.4

6.5

Set Security Objective Specify Requirements Verify Requirements

Analyze Security Metrics

• • •

Identification of Vulnerability involves in-depth study of vulnerabilities, their origin, and causes, which may help during vulnerability mitigation [29, 30]. There exist different criteria; based on those vulnerabilities they are classified. These criteria include nature of vulnerability, techniques used to exploit them, software hardware interfaces that lead to the vulnerability etc [31, 32]. Classification may involve:

6.6

Identify Security Metric Authentication Verification Approaches of Measurement

Categorize Security Metrics

Several metrics are available related to measurement of software at different stages of software development life cycle. Plenty of work has been done in the area of software security. Security metrics may belong to any stage of development life cycle. The objective of this step is to come up with set of security metrics phase wise. The set of security metrics may help during the quantification of security in design phase. To satisfy the objective of this step, following activities need to be carried out:

In which phase the vulnerability was introduced? When it is first detected? What are the causes, which lead to this vulnerability?

This categorization may help to resolve the vulnerabilities of the same type with less effort, as they can be treated in the same way. It also helps to identify recurring vulnerability and causes of their occurrence [29]. To address these issues, the following steps need to be followed: •

Identify Metric Based Models Categorize Models Inherit Design Phase Model

During security quantification of software, security metrics are required. The purpose of this step is to analyze available security metric before using metric for quantification of security. Several metrics are available based on different approaches. First, there is need to identify available security metric and then to verify whether it is authenticated. Identified security metrics may be based on different approaches. Therefore, to meet the objective of quantification of security, it is required to ensure which measurement approach is suited as per requirement. To analyze available security metric following steps need to be followed:

Identify Vulnerability

• • •

Analyze OO Models

• • •

Specify Security Metrics Requirements

6.2

Set criteria Identify software characteristics Inherit Design Phase characteristics

The goal of this step is to analyze available object oriented models. It needs to be clear how the properties of model interact to provide a particular level of performance. Already existing models may provide the basis for designing and implementing a new security model. This new model may be obtained by simple modification of existing model and able to quantifying security at early stage of development life cycle. Following steps are suggested to fulfill the objective.

This is the first step of the security metric identification framework. In order to act according to a specific set standard it is required to specify its requirements. For what purpose security metric identification is required. Validation of security requirement may lead to validate software architecture from security point of view. Requirement elicitation provides the basis during deduction of the specification of subsequent steps of the framework [5]. In order to achieve the objective of the step following set of activities need to be carried out: • • •

Identify Software Characteristics

Security estimation of software does not produce or ensure good software; it only gives an indication of security level of software. This process is required to identify object-oriented software characteristics that are activated during design phase of the software development and serve to define a variety of security factors. This step will include the following activities:

• Specify Metric Requirements [26] • Identify Vulnerabilities [27] • Identify Software Characteristics • Analyze Security Models [28] • Categorize Security Metrics [12] • Specify Security Metric Measures • Design Metric Development process • Develop Security Metric • Finalize Metric Suite Detailed view of the framework for identification of security metric comprising ten key steps has been depicted pictorially in figure 2. Brief description of each step is discussed here.

6.1

Categorize Phase wise Inherit Design Phase Vulnerabilities

• • •

6.7

Identify software Vulnerabilities

728

List out security metrics Categorize Phase wise Inherit Design Phase Metrics

Specify Security Metric Measures


A well-accepted paradigm what you cannot measure, you cannot control is applicable as far as security metric is concerned. For quantification of security, measures are required. It is important to think about the measures of security of software and how to go about measuring them? To solve the purpose there is need to figure out just what behavior is expected from the software. List of security measures and object-oriented metric measures encountered in design phase may be inherited from the list of identified metric measures. Identified design phase security measures will facilitate during selection of security measures according to their use, environment, and resources. It will provide base to decide which security measures need to be integrated in the software. Following tasks can be followed to satisfy the objective of the step: • • •

6.8

• •

7. FINDINGS AND FUTURE DIRECTIONS Security metric identification framework has been proposed. Most importantly, study presented in this paper provides a systematic well-defined method, for assessing the slippery issue associated with security quantification. This research work is still going on. The contributions of the work may be summarized as follows: •

•

Identify Metric Measures Inherit OO Metric Measures Select Security Measures

•

Design Metric Development Process

•

Development of security metric is a challenging task [32]. Therefore, it is necessary to have a security metric development framework in order to design efficient security metric [33]. The purpose of this step is to design a process to derive a security metric to quantify security measures. The guideline defines the way to develop the metric. During development of process, a pragmatic view should be considered. If all factors and measures are considered, thus may become complicated, ineffective, or useless. Therefore, there is need to finalize factors and measures which affect the activity. Following steps need to be carried out in order to get the security metric development process: • • •

6.9

Design Guideline Select Approach Finalize Factors and measures

8. CONCLUSIONS Security estimation of software must be a mandatory feature of software at early stage of development life cycle. Unifying security attributes, security models, security metrics and software characteristics, security estimation is possible at the early stage of software development life cycle [7, 19]. For security estimation mechanism, there is need to develop efficient security metrics, and for the development of security metrics, metric development framework is required. A framework for identification of security metrics has been proposed. The framework includes all issues related to security metric, which are contributing to security quantification

Design Security Metric

6.10

Identify needs Establish computation Formulation

9. REFERENCES [1] Khaer, M. A., Hashem, M.M.A. and Masud, M. R. 2007. An Empirical Analysis of Software Systems for Measurement of Design Quality Level Based on Design Patterns. In Proceedings of 10th International Conference on Computer and Information Technology (United International University Dhaka, Bangladesh, 27-29 December 2007).

Finalize Metric Suite

Finalization of metric suite is the last step of the security metric identification process. During this process, set of metrics that are related to the relevant measures directly and undeniably, selected and verified. It is not advisable to include all the measures relevant to security attributes. It will make the outcome ineffective. Therefore, it is suggested that before implementation or use of metric facility, pick the most important metrics able to satisfy premises [34]. The step will perform following tasks: •

An exhaustive literature review reveals that no security metric suite identification framework is available. The proposed framework produces security metric suite. Previous experiences have shown no security metric suite is available for security quantification. The proposed framework is prescriptive in nature; every step of the framework may work as separate module, contributing to security quantification process. The proposed framework may serve as a backbone of security estimation process. It includes all issues needed to be considered during security estimation of object-oriented software in the design phase.

The framework is in infancy but able to satisfy the objectives and provide strong viable basis for succeeding refinements and extensions. Future work includes 1) Implementation of the framework in order to get security metric suite. 2) Extension of the security metric development framework. Use of the framework can guide the design and analysis of security models and metrics activated in design phase. A new process is needed to measure and represent the qualities of software security.

Security improvement demand has spurred to have security metrics. Security metric can help us understand more about the security of the product, effect of processes and services. As discussed earlier the development of metrics is a challenging task and needs in-depth analysis of metrics to be used [32]. For quantitative assessment of software security, there is need to develop efficient security metric. To design security metric these steps need to be followed: • • •

Select Metrics Verify Metric Suite

ICCIT 2007. IEEE 2007. DOI=10.1109/ICCITECHN.2007.4579432

1

–

6.

[2] Allen, E.B. and Khoshgoftaar, T.M. 1999. Measuring Coupling and Cohesion: An Information-Theory Approach. In Proceedings of Sixth International Software Metrics

Set Premises

729


Advanced, Developments in Software and System Security, 2003. Available as: CMU-TR-03-169, August 2003. Carnegie Mellon University. Pittusburg.

Symposium. (Boca, Raton, FL, USA, 4-6 November 1999). IEEE. 119-127. DOI= 10.1109/METRIC.1999.809733 [3] Z. Dwaikat and Presicce, F. P. 2005. Risky Trust: RiskBased Analysis of Software Systems. In proceedings of the 2005 Workshop on Software Engineering For Secure Systems- Building Trustworthy Application, (St. Louis, Missouri, USA, 15-16 May 2005), SESS’05. ACM. 1-7. DOI= http://doi.acm.org/10.1145/1083200.1083206.

[15] Nichols, E.A. and Peterson, G. 2007. A Metrics Framework to Drive Application Security Improvement, IEEE Security & Privacy, 5(2) March-April 2007, 88-91. DOI=10.1109/MSP.2007.26 [16] Zade, J. and DeVolder, D. 2007. Software Development and Related Security Issues, In Proceedings of IEEE Southeastcon 2007, (Richmond Marriott, 500 East Broad Street, Richmond, USA, 22-25 March 2007), IEEE, 746748. DOI= 10.1109/SECON.2007.343000

[4] Nichols, E.A. and Peterson, G. 2007. A Metrics Framework to Drive Application Security Improvement, IEEE Security & Privacy, 5, 2, (March-April 2007), IEEE, 88-91. DOI= 10.1109/MSP.2007.26

[17] Ardi, S., and Byers, D., Meland, P., Tondel, I. A., Shahmehri, N. 2007. How Can Developer Benefit From Security Modeling? In proceedings of Second International Conference on Availability, Reliability, and Security, (Vienna University of Technology, Austria, 10-13 April 2007), ARES 2007, IEEE, 1017-1025. DOI=10.1109/ARES.2007.96

[5] Khan, R. A. and Mustafa, K. 2008. Secured Requirements Specification Framework. American Journal of Applied Sciences. 5, 12, 1622-1629. [6] Chandra, S. Estimation in Proceedings Technologies. 08. 1-3.

and Khan, R.A. 2008. Software Security Early Stage of Development Life Cycle. In of National Conference on Emerging (Lucknow, India, 29-30 March 2008), NCET

[18] Byers, D., and Shahmehri, N. 2007. Design of a Process for Software Security. In proceedings of Second International Conference on Availability, Reliability, and Security (Vienna, Austria, 10-13 April 2007), ARES 2007, IEEE, 301-309. DOI=10.1109/ARES.2007.67

[7] Chandra, S., and Khan, R.A. 2008. Object-Oriented Software Security Estimation Life Cycle - Design Phase Perspective, Journal of Software Engineering, 2, 1(2008), 39-46.

[19] Chandra, S., and Khan, R.A. 2008. Software Security Estimation Framework, 6th International Conference on Information Technology: New Generations, ITNG 2009 (Las Vegas, Nevada, USA, 27-29 April 2009) (communicated).

[8] Khan, R. A. 2004. Quality Estimation of Object-Oriented Code: A Design Phase Perspective. Doctoral Thesis. Jamia Melia Islamia University. Delhi. [9] Chandra, S. and Khan, R. A., “Early Identification of Software Security Factors (SSFf): A Prescriptive Framework”, International Arab Journal of Information Technology (IAJIT), 2008, (accepted 11th September).

[20] Vaughn, R. B.2001. Are Measures and Metrics for Trusted Information Systems Possible? In Proceedings of Sixth IEEE International Symposium on High Assurance Systems Engineering. (Boca Raton, Florida, 22-24 October, 2001). DOI=10.1109/HASE.2001.966802.

[10] Cheng, X.,He, N., Hsiao, M.S. 2008. A New Security Sensitivity Measurement for Software Variables. In proceedings of IEEE Conference on Technologies on Homeland Security. (Waltham, MA 12-13 May 2008), IEEE, 593-598. DOI=10.1109/THS.2008.4534520

[21] Qu, W. and Zhang, D. 2007. Security Metrics Models and Application with SVM in Information Security Management, In Proceedings of the Sixth International Conference on Machine Learning and Cybernetics (Hong Kong, 19-22 August 2007), IEEE, 3234-3238. DOI=10.1109/ICMLC.2007.4370705

[11] Mandhata, P., Wing, J. M. 2005. An Attack Surface Metric. Technical Report, CMU-CS-05-155, Carnegie Mellon University. Pittusburg.

[22] Naqvi, S. and Riguide, M. 2008. Quantifiable Security Metrics for Large Scale Heterogeneous Systems, In Proceedings of IEEE Carnahan Conferences Security Technology, (Lexington, Kentucky, 16-20 October 2006), IEEE, 209-215. DOI=10.1109/CCST.2006.313452

[12] Savola, R. 2007. Towards a Security Metrics Taxonomy for the Information and Communication Technology, In Proceedings of International Conference on Software Engineering Advances, (Cap Esteral, French Riviera, France, 25-31 August 2007), ICSEA 2007, IEEE, 60-60. DOI=10.1109/ICSEA.2007.79

[23] Eichberg, M., Germanus, D., Mezini, M., Mrokon, L., and Schafer, T. 2006. QScope: an Open, Extensible Framework for Measuring Software Projects, In Proceedings of the Conference on Software Maintenance and Reengineering, (Bari, Italy, 22-24 March 2006), CSMR’06. IEEE, 113-122. DOI=10.1109/CSMR.2006.42

[13] Scandariato, R., Win, B. D. and Distrinet, W. J. 2006. Towards a measuring framework for security properties of software. In Proceedings of the 2nd ACM Workshop on Quality of Protection (Alexandria BA. USA, OCT 2006). ACM. 27-30. DOI= http://doi.acm.org/10.1145/1179494.1179500

[24] Payne, S.C. 2007. A guide to security metrics, SANS institute 2007. Available at:

[14] Howard, M., Pincus, J. and Wing, J. M. 2003. Measuring Relative Attack Surfaces, In Proceedings of Workshop on

730


Vulnerability, In Proceedings of International Conference on availability, Reliability and Security, (Fukuoka, Japan, 1619 March 2008), ARES 2009, (accepted).

[25] McCurley, J., Zubrow, D.and Dekkers, C. 2007. Measures and Measurement for Secure Software Development, Build Security In, 2007. Available at: https://buildsecurityin.uscert.gov/daisy/bsi/articles/bestpractices/measurement/227.html.

[30] Hadavi, M. A., Sangehi, H. M., Hamishagi, V. S. and Shirazi, H. 2008. Software Security; A Vulnerability – Activity Revisit. In Proceedings of International Conference on availability, Reliability and Security, (University of California, Barcelona, Spain, 4-7 March 2008) , ARES 2008, IEEE, 866-872. DOI=10.1109/ARES.2008.200

[26] Moreira, A., Araújo, J. and Brito, I. 2002. Crosscutting Quality Attributes for Requirements Engineering, In Proceedings of Software Engineering and Knowledge Engineering Conference, (Ischia, Italy, 15-19 July 2002), SEKE 2002, ACM, 27, 167 – 174. DOI=http://doi.acm.org/10.1145/568760.568790

[31] Savola, R. and Holappa, J. 2005. Self-Measurement of the Information Security Level in a Monitoring System Based on Mobile Ad Hoc Networks. In Proceedings of IEEE International Workshop on Measurement Systems for Homeland Security, Contraband Detection and Personal Safety (Orlando, FL, USA, 29-30 March 2005). IMS 2005. 42-49. DOI=10.1109/MSHS.2005.1502553

[27] Alhazmi, O. H. and Malaiya, Y. K. 2005. Quantitative Vulnerability Assessment of Systems Software. In Proceedings of Reliability and Maintainability Symposium, 2005. (Newyork, 24-27 January 2005), IEEE, 615- 620. DOI=10.1109/RAMS.2005.1408432

[32] Chandra. S. and Khan, R. A. 2008. Security Estimation Method: A Quantification Approach. In Proceedings of International Conference on Computing. (Kerela, 23-25 September 2008). IEEE sponsored. 316-319.

[28] Goertzel, K. M., Winograd, T., McKinley, H. L., Oh, L., Colon, M., McGibbon, T., Fedchak, E. and Vienneau, R. 2007. Software Security Assurance, State-of-the-Art Report (SOAR), Information Assurance Technology Analysis Centre (IATAC) and Data and Analysis Center for Software, (31 July 2007Card, D. N. 1998. Learning from Our Mistakes with Defect Causal analysis, IEEE Software, 15, 1, (January-February 1998), 56-63. DOI=10.1109/52.646883

[33] Talbi, T.; Meyer, B.; Stapf, E. 2001. A Metric Framework to for Object-oriented development. In Proceedings of International Conference and Exhibition on Technology of Object-Oriented Languages and Systems, (Santa Barbara, CA, USA, July 29 - August 3 2001), IEEE. 164-172. DOI=10.1109/TOOLS.2001.9

[29] Agrawal, A., Chandra, S., and Khan, R.A. 2009. An Efficient Measurement of Object-Oriented Design

731