Environmental Metrics for Software Security Based on a Vulnerability Ontology
This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole in a given running environment determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.
Software products Security metrics Environmental score Ontology
Ju An Wang Minzhe Guo Hao Wang Min Xia Linfeng Zhou
Southern Polytechnic State University 1100 South Marietta Parkway arietta, GA 30060 Southern Polytechnic State University 1100 South Marietta Parkway Marietta, GA 30060
国际会议
上海
英文
159-168
2009-07-08(万方平台首次上网日期,不代表论文的发表时间)