软件安全度量技术综述.doc

软件安全度量综述摘要关键字 软件安全; 安全度量，安全指标 A Survey of Software Security Metrics Abstract Software systems is playing a more and more important role in our daily life nowadays. Security is one of the most important issues in developing and implementing software systems especially in highly critical application. To better understand software security in order to better control and improvement software security, measurement of software security qualitatively and quantitatively is necessary. Various security indicators, measures and metrics have been proposed in past 20 years, but few have been general acceptance and applied to practice use. We review the history of security metric research, and survey the current state of the art in qualitative and quantitative security measurement to characterize the available measurement strategies, their maturity, and the conceptual or technical obstacle preventing further progress in this field of research. Key words software security; security metrics; security indicators; Introduction Measurement is one of the foundations of sound engineering practices. More than 100 years ago, Lord Kelvin insightfully observed that the measurement is vital to deep knowledge and understanding in physical science. This principle should also apply to the field of software security. Measurement and improvement abilities could harden the security of systems efficiently because measurement helps to concentrate improvement effort where it is needed most, promoting issue-related security enhancements. Security metric is not a new topic, but one which receives focused interest sporadically. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for software security with varying degrees of success, much of what has been written about security metrics is definitional, aimed at providing guidelines for defining a security metric and specifying criteria for which to strive. Although various methods, secur