An Attack Surface Metric

Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on software engineering 2011-05, Vol.37 (3), p.371-386
Hauptverfasser:	Manadhata, P K, Wing, J M
Format:	Artikel
Sprache:	eng
Schlagworte:	Alliances Analysis Application software Code design Complement Computer programs Demand Digital Object Identifier Java life cycle Measurement methods Methods Pressing Product life cycle product metrics Programming protection mechanisms Quality improvement Risk risk mitigation Security Size measurement Software Software development Software engineering Software industry Software measurement Software quality software security Software systems Studies Time measurement
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	386
container_issue	3
container_start_page	371
container_title	IEEE transactions on software engineering
container_volume	37
creator	Manadhata, P K Wing, J M
description	Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.
doi_str_mv	10.1109/TSE.2010.60
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_868620733</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>5482589</ieee_id><sourcerecordid>2357879171</sourcerecordid><originalsourceid>FETCH-LOGICAL-c354t-1cfe5c74e7f8e2cd7e4477e9c3f1920f55c01d950839c4da4c44740c61ae43f03</originalsourceid><addsrcrecordid>eNpdkE1LAzEQhoMouFZPXgQvxYsH2TrZJJvkWEr9gIqH1nMI0wlsbbs12T34701Z8eBpGOZh3peHsWsOE87BPq6W80kFeavhhBXcClsKVcEpKwCsKZUy9pxdpLQBAKW1KtjNdD-edp3Hz_Gyj8Ejjd-oiw1esrPgt4mufueIfTzNV7OXcvH-_DqbLkoUSnYlx0AKtSQdDFW41iSl1mRRBG4rCEoh8LVVYIRFufYS810C1tyTFAHEiN0Pfw-x_eopdW7XJKTt1u-p7ZMzxkqpJOeZvPtHbto-7nM5Z2pTV6CFyNDDAGFsU4oU3CE2Ox-_HQd3dOSyI3d05Opj-O1AN0T0RyppqmxK_ACByV68</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>868620733</pqid></control><display><type>article</type><title>An Attack Surface Metric</title><source>IEEE Electronic Library (IEL)</source><creator>Manadhata, P K ; Wing, J M</creator><creatorcontrib>Manadhata, P K ; Wing, J M</creatorcontrib><description>Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.</description><identifier>ISSN: 0098-5589</identifier><identifier>EISSN: 1939-3520</identifier><identifier>DOI: 10.1109/TSE.2010.60</identifier><identifier>CODEN: IESEDJ</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Alliances ; Analysis ; Application software ; Code design ; Complement ; Computer programs ; Demand ; Digital Object Identifier ; Java ; life cycle ; Measurement methods ; Methods ; Pressing ; Product life cycle ; product metrics ; Programming ; protection mechanisms ; Quality improvement ; Risk ; risk mitigation ; Security ; Size measurement ; Software ; Software development ; Software engineering ; Software industry ; Software measurement ; Software quality ; software security ; Software systems ; Studies ; Time measurement</subject><ispartof>IEEE transactions on software engineering, 2011-05, Vol.37 (3), p.371-386</ispartof><rights>Copyright IEEE Computer Society May 2011</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c354t-1cfe5c74e7f8e2cd7e4477e9c3f1920f55c01d950839c4da4c44740c61ae43f03</citedby><cites>FETCH-LOGICAL-c354t-1cfe5c74e7f8e2cd7e4477e9c3f1920f55c01d950839c4da4c44740c61ae43f03</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/5482589$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27903,27904,54736</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/5482589$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Manadhata, P K</creatorcontrib><creatorcontrib>Wing, J M</creatorcontrib><title>An Attack Surface Metric</title><title>IEEE transactions on software engineering</title><addtitle>TSE</addtitle><description>Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.</description><subject>Alliances</subject><subject>Analysis</subject><subject>Application software</subject><subject>Code design</subject><subject>Complement</subject><subject>Computer programs</subject><subject>Demand</subject><subject>Digital Object Identifier</subject><subject>Java</subject><subject>life cycle</subject><subject>Measurement methods</subject><subject>Methods</subject><subject>Pressing</subject><subject>Product life cycle</subject><subject>product metrics</subject><subject>Programming</subject><subject>protection mechanisms</subject><subject>Quality improvement</subject><subject>Risk</subject><subject>risk mitigation</subject><subject>Security</subject><subject>Size measurement</subject><subject>Software</subject><subject>Software development</subject><subject>Software engineering</subject><subject>Software industry</subject><subject>Software measurement</subject><subject>Software quality</subject><subject>software security</subject><subject>Software systems</subject><subject>Studies</subject><subject>Time measurement</subject><issn>0098-5589</issn><issn>1939-3520</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2011</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><sourceid>8G5</sourceid><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GNUQQ</sourceid><sourceid>GUQSH</sourceid><sourceid>M2O</sourceid><recordid>eNpdkE1LAzEQhoMouFZPXgQvxYsH2TrZJJvkWEr9gIqH1nMI0wlsbbs12T34701Z8eBpGOZh3peHsWsOE87BPq6W80kFeavhhBXcClsKVcEpKwCsKZUy9pxdpLQBAKW1KtjNdD-edp3Hz_Gyj8Ejjd-oiw1esrPgt4mufueIfTzNV7OXcvH-_DqbLkoUSnYlx0AKtSQdDFW41iSl1mRRBG4rCEoh8LVVYIRFufYS810C1tyTFAHEiN0Pfw-x_eopdW7XJKTt1u-p7ZMzxkqpJOeZvPtHbto-7nM5Z2pTV6CFyNDDAGFsU4oU3CE2Ox-_HQd3dOSyI3d05Opj-O1AN0T0RyppqmxK_ACByV68</recordid><startdate>20110501</startdate><enddate>20110501</enddate><creator>Manadhata, P K</creator><creator>Wing, J M</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>3V.</scope><scope>7WY</scope><scope>7WZ</scope><scope>7X7</scope><scope>7XB</scope><scope>87Z</scope><scope>88E</scope><scope>88F</scope><scope>88I</scope><scope>88K</scope><scope>8AL</scope><scope>8FE</scope><scope>8FG</scope><scope>8FI</scope><scope>8FJ</scope><scope>8FK</scope><scope>8FL</scope><scope>8G5</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FRNLG</scope><scope>FYUFA</scope><scope>F~G</scope><scope>GHDGH</scope><scope>GNUQQ</scope><scope>GUQSH</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K60</scope><scope>K6~</scope><scope>K7-</scope><scope>K9.</scope><scope>L.-</scope><scope>L6V</scope><scope>M0C</scope><scope>M0N</scope><scope>M0S</scope><scope>M1P</scope><scope>M1Q</scope><scope>M2O</scope><scope>M2P</scope><scope>M2T</scope><scope>M7S</scope><scope>MBDVC</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>Q9U</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20110501</creationdate><title>An Attack Surface Metric</title><author>Manadhata, P K ; Wing, J M</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c354t-1cfe5c74e7f8e2cd7e4477e9c3f1920f55c01d950839c4da4c44740c61ae43f03</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2011</creationdate><topic>Alliances</topic><topic>Analysis</topic><topic>Application software</topic><topic>Code design</topic><topic>Complement</topic><topic>Computer programs</topic><topic>Demand</topic><topic>Digital Object Identifier</topic><topic>Java</topic><topic>life cycle</topic><topic>Measurement methods</topic><topic>Methods</topic><topic>Pressing</topic><topic>Product life cycle</topic><topic>product metrics</topic><topic>Programming</topic><topic>protection mechanisms</topic><topic>Quality improvement</topic><topic>Risk</topic><topic>risk mitigation</topic><topic>Security</topic><topic>Size measurement</topic><topic>Software</topic><topic>Software development</topic><topic>Software engineering</topic><topic>Software industry</topic><topic>Software measurement</topic><topic>Software quality</topic><topic>software security</topic><topic>Software systems</topic><topic>Studies</topic><topic>Time measurement</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Manadhata, P K</creatorcontrib><creatorcontrib>Wing, J M</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Central (Corporate)</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>Health & Medical Collection</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>Medical Database (Alumni Edition)</collection><collection>Military Database (Alumni Edition)</collection><collection>Science Database (Alumni Edition)</collection><collection>Telecommunications (Alumni Edition)</collection><collection>Computing Database (Alumni Edition)</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Hospital Premium Collection</collection><collection>Hospital Premium Collection (Alumni Edition)</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>Research Library (Alumni Edition)</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies & Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>Technology Collection (ProQuest)</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Business Premium Collection (Alumni)</collection><collection>Health Research Premium Collection</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>Health Research Premium Collection (Alumni)</collection><collection>ProQuest Central Student</collection><collection>Research Library Prep</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>Computer Science Database</collection><collection>ProQuest Health & Medical Complete (Alumni)</collection><collection>ABI/INFORM Professional Advanced</collection><collection>ProQuest Engineering Collection</collection><collection>ABI/INFORM Global</collection><collection>Computing Database</collection><collection>Health & Medical Collection (Alumni Edition)</collection><collection>Medical Database</collection><collection>Military Database</collection><collection>Research Library</collection><collection>Science Database</collection><collection>Telecommunications Database</collection><collection>Engineering Database</collection><collection>Research Library (Corporate)</collection><collection>Advanced Technologies & Aerospace Database</collection><collection>ProQuest Advanced Technologies & Aerospace Collection</collection><collection>ProQuest One Business</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>ProQuest Central Basic</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><collection>Engineering Research Database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on software engineering</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Manadhata, P K</au><au>Wing, J M</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>An Attack Surface Metric</atitle><jtitle>IEEE transactions on software engineering</jtitle><stitle>TSE</stitle><date>2011-05-01</date><risdate>2011</risdate><volume>37</volume><issue>3</issue><spage>371</spage><epage>386</epage><pages>371-386</pages><issn>0098-5589</issn><eissn>1939-3520</eissn><coden>IESEDJ</coden><abstract>Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TSE.2010.60</doi><tpages>16</tpages></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 0098-5589
ispartof	IEEE transactions on software engineering, 2011-05, Vol.37 (3), p.371-386
issn	0098-5589 1939-3520
language	eng
recordid	cdi_proquest_journals_868620733
source	IEEE Electronic Library (IEL)
subjects	Alliances Analysis Application software Code design Complement Computer programs Demand Digital Object Identifier Java life cycle Measurement methods Methods Pressing Product life cycle product metrics Programming protection mechanisms Quality improvement Risk risk mitigation Security Size measurement Software Software development Software engineering Software industry Software measurement Software quality software security Software systems Studies Time measurement
title	An Attack Surface Metric
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-24T12%3A37%3A54IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=An%20Attack%20Surface%20Metric&rft.jtitle=IEEE%20transactions%20on%20software%20engineering&rft.au=Manadhata,%20P%20K&rft.date=2011-05-01&rft.volume=37&rft.issue=3&rft.spage=371&rft.epage=386&rft.pages=371-386&rft.issn=0098-5589&rft.eissn=1939-3520&rft.coden=IESEDJ&rft_id=info:doi/10.1109/TSE.2010.60&rft_dat=%3Cproquest_RIE%3E2357879171%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=868620733&rft_id=info:pmid/&rft_ieee_id=5482589&rfr_iscdi=true