Integrated Measurement and Analysis Framework for Software Security
CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST
Pagination or Media Count:
In todays business and operational environments, multiple organizations routinely work collaboratively to acquire, develop, deploy, and maintain technical capabilities via a set of interdependent, networked systems. Measurement in these distributed management environments can be an extremely challenging problem. The CERTR Program, part of Carnegie Mellon Universitys Software Engineering Institute SEI, is developing the Integrated Measurement and Analysis Framework IMAF to enable effective measurement in distributed environments, including acquisition programs, supply chains, and systems of systems. The IMAF defines an approach that integrates subjective and objective data from multiple sources targeted analysis, reports, and tactical measurement and provides decision makers with a consolidated view of current conditions. This report is the first in a series that addresses how to measure software security in complex environments. It poses several research questions and hypotheses and presents a foundational set of measurement concepts. It also describes how meaningful measures provide the information that decision makers need when they need it and in the right form. Finally, this report provides a conceptual overview of the IMAF, describes methods for qualitatively and quantitatively collecting data to inform the framework, and suggests how to use the IMAF to derive meaningful measures for analyzing software security performance.
- Computer Systems Management and Standards