Environmental Metrics for Software Security Based on a Vulnerability Ontology

Author

Wang, Ju An ; Guo, Minzhe ; Wang, Hao ; Xia, Min ; Zhou, Linfeng

Author_Institution

Southern Polytech. State Univ., Marietta, GA, USA

fYear

2009

fDate

8-10 July 2009

Firstpage

159

Lastpage

168

Abstract

This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole in a given running environment determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.

Keywords

ontologies (artificial intelligence); security of data; software reliability; CAPEC; CPE; CVE; CVSS; CWE; assurance; environmental metrics; running environment; software security; vulnerability ontology; Automation; Computer security; Data security; Environmental management; Information security; Measurement standards; Ontologies; Particle measurements; Sea measurements; Software standards; Environmental score; Ontology; Security metrics; Software products;

fLanguage

English

Publisher

ieee

Conference_Titel

Secure Software Integration and Reliability Improvement, 2009. SSIRI 2009. Third IEEE International Conference on

Conference_Location

Shanghai

Print_ISBN

978-0-7695-3758-0

Type

conf

DOI

10.1109/SSIRI.2009.60

Filename

5325379