Published July 2025
| Version v1
Journal article
Open
Building Metrics to Quantify the Security of Software Components
Authors/Creators
Description
Abstract: Quantitative assessment of the security of software components is an essential but underdeveloped aspect in software engineering and cybersecurity. Although security analysis is increasingly being integrated into the software development phases, there are currently no universally accepted criteria that would allow a numerical comparison of the security level of different components. This paper proposes a conceptual framework for defining and applying metrics that enable such an assessment. The possibility of building a system that supports standardized, objective, and scalable security evaluation in development and integration environments is explored by analyzing fundamental software components and their evaluation based on clearly defined security properties. The results of the study open space for improvement of existing security practices and point to specific guidelines for integrating quantitative security assessment into the software development life cycle.
Originally published in: International Journal of Innovative Solutions in Engineering (IJISE), Vol. 1, No. 2, 2025. Official URL: https://ijise.ba/article/12/
Files
Vol.-1-No.-2-Article-12.pdf
Files
(429.4 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:bfd9076f0c3932c2d6121d91572642ba
|
429.4 kB | Preview Download |
Additional details
Identifiers
Related works
- Is identical to
- Journal article: https://ijise.ba/article/12/ (URL)
- Is published in
- Journal: 3029-3200 (ISSN)
References
- Common Vulnerabilities and Exposures (CVE), (n.d.). https://www.cve.org/ (accessed August 17, 2025).
- CWE Top 25 Most Dangerous Software Weaknesses, (n.d.). https://cwe.mitre.org/top25/ (accessed August 17, 2025).
- OWASP Top Ten, (n.d.). https://owasp.org/www-project-top-ten/ (accessed August 17, 2025).
- ISO/IEC 29147:2018 - Information technology, security techniques, vulnerability disclosure, (n.d.). https://www.iso.org/standard/72311.html (accessed August 17, 2025).
- ISO/IEC 27004:2016 - Information security management, monitoring, measurement, analysis and evaluation, (n.d.). https://www.iso.org/standard/64120.html (accessed August 17, 2025).
- M. Pendleton, R. Garcia-Lebron, S. Xu, A Survey on Security Metrics, (2016). http://arxiv.org/abs/1601.05792.
- T.H.M. Le, H. Chen, M.A. Babar, A Survey on Data-driven Software Vulnerability Assessment and Prioritization, ACM Comput Surv 55 (2022). https://doi.org/10.1145/3529757.
- S. Elder, M.R. Rahman, G. Fringer, K. Kapoor, L. Williams, A Survey on Software Vulnerability Exploitability Assessment, ACM Comput Surv 56 (2024) 1–41. https://doi.org/10.1145/3648610.
- Y. Jiang, N. Oo, Q. Meng, H.W. Lim, B. Sikdar, A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges, (2025). http://arxiv.org/abs/2502.11070.
- Common Vulnerability Scoring System (CVSS), (n.d.). https://www.first.org/cvss/ (accessed August 17, 2025).
- A. Agrawal, R.A. Khan, Assessing and Improving Encapsulation for Minimizing Vulnerability of an Object Oriented Design, in: Communications in Computer and Information Science, Springer, Berlin, Heidelberg, 2011: pp. 531–533. https://doi.org/10.1007/978-3-642-25734-6_90.
- Exploit Prediction Scoring System (EPSS), (n.d.). https://www.first.org/epss/ (accessed August 17, 2025).
- Known Exploited Vulnerabilities Catalog (KEV CISA), (n.d.). https://www.cisa.gov/known-exploited-vulnerabilities-catalog (accessed August 16, 2025).
- National Vulnerability Database (NVD), (n.d.). https://nvd.nist.gov/ (accessed August 17, 2025).
- Death Knell of the NVD? - by Chris Hughes - Resilient Cyber, (n.d.). https://www.resilientcyber.io/p/death-knell-of-the-nvd (accessed August 16, 2025).
- Open Source Vulnerabilities (OSV), (n.d.). https://osv.dev/ (accessed August 16, 2025).
- GitHub Security Advisories (GHSA), (n.d.). https://github.com/advisories (accessed August 17, 2025).
- Common Attack Pattern Enumeration and Classification (CAPEC), (n.d.). https://capec.mitre.org/ (accessed August 17, 2025).
- MITRE ATT&CK, (n.d.). https://attack.mitre.org/ (accessed August 17, 2025).
- B. Carlsson, D. Baca, Software Security Analysis - Execution Phase Audit, EUROMICRO Conference (2005) 240–247. https://doi.org/10.1109/EURMIC.2005.54.
- F. Lomio, E. Iannone, A. De Lucia, F. Palomba, V. Lenarduzzi, Just-in-time software vulnerability detection: Are we there yet?, Journal of Systems and Software 188 (2022) 111283. https://doi.org/10.1016/j.jss.2022.111283.
- N. Dissanayake, A. Jayatilaka, M. Zahedi, M.A. Babar, Software security patch management - A systematic literature review of challenges, approaches, tools and practices, Inf Softw Technol 144 (2022) 106771. https://doi.org/10.1016/j.infsof.2021.106771.
- N.S. Harzevili, J. Shin, J. Wang, S. Wang, N. Nagappan, Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries, in: 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR), IEEE, 2023: pp. 27–38. https://doi.org/10.1109/MSR59073.2023.00018.
- P. Mell, K. Scarfone, S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2.0, Forum of Incident Response and Security Teams (FIRST) (2007).
- L. Allodi, F. Massacci, Comparing Vulnerability Severity and Exploits Using Case-Control Studies, ACM Transactions on Information and System Security 17 (2014) 1–20. https://doi.org/10.1145/2630069.
- S. Neuhaus, T. Zimmermann, Security Trend Analysis with CVE Topic Models, in: 2010 IEEE 21st International Symposium on Software Reliability Engineering, IEEE, 2010: pp. 111–120. https://doi.org/10.1109/ISSRE.2010.53.
- A. Gueye, P. Mell, A Historical and Statistical Studyof the Software Vulnerability Landscape, (2021). http://arxiv.org/abs/2102.01722.
- G. Gori, L. Rinieri, A. Melis, A. Al Sadi, F. Callegati, M. Prandini, A Systematic Analysis of Security Metrics for Industrial Cyber–Physical Systems, Electronics (Basel) 13 (2024) 1208. https://doi.org/10.3390/electronics13071208.
- E.K. Adejumo, B. Johnson, M. Guizani, Commit Stability as a Signal for Risk in Open-Source Projects, (2025). http://arxiv.org/abs/2508.02487.
- C. Sabottke, O. Suciu, T. Dumitras, Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits, 24th USENIX Security Symposium (2015).
- A. Almogahed, M. Omar, N.H. Zakaria, A. Alawadhi, Software Security Measurements: A Survey, in: 2022 International Conference on Intelligent Technology, System and Service for Internet of Everything (ITSS-IoE), IEEE, 2022: pp. 1–6. https://doi.org/10.1109/ITSS-IoE56359.2022.9990968.
- Study - Software security vulnerabilities persist for months, (n.d.). https://www.axios.com/2018/10/24/vulnerable-apps-software-security-veracode-study (accessed August 17, 2025).
- IT staff take as long as 1 month to fix security flaws, (n.d.). https://www.axios.com/2023/10/10/patching-security-flaws-slow (accessed August 17, 2025).
- OWASP Application Security Verification Standard (ASVS) | OWASP Foundation, (n.d.). https://owasp.org/www-project-application-security-verification-standard/ (accessed August 18, 2025).
- D.J. Bodeau, R.D. Graubart, R.M. Mcquaid, J. Woodill, Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring, 2018. https://www.mitre.org/sites/default/files/2021-11/prs-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf (accessed August 16, 2025).