Description
To be or not to be secure. In theory, security is binary. But in practice 100% security does not exist. Instead, security is a continuous battle on many fronts where improvements are obtained gradually. To support such gradual security improvement, we need to be able to measure current security on a continuous scale. But how? The Software Improvement Group has developed multiple security metrics and bundled them in rating mechanisms for software products and processes.
Goals
In this project, you will extend and validate a recently proposed security rating scheme with new measurements in order to capture new aspects of security or make the current metrics more precise or more repeatable. You will study the statistical behaviour of these metrics, test their strengths and weaknesses, and provide us with recommendations of how to integrate them with tools such as Fortify, Checkmarx, INFER.
Suggested reading
- Security metrics for software systems, ACM-SE 2009.
- Towards a taxonomy for information security metrics, QoP 2007.
http://dl.acm.org/citation.cfm?doid=1314257.1314266 - A comparison of software design security metrics, ECSA 2010.
http://dx.doi.org/10.1145/1842752.1842797 - Risk analysis supported by information security metrics, CompSysTech 2011.
http://dx.doi.org/10.1145/2023607.2023673
You will be embedded in the Research team of the Software Improvement Group. One of SIG's researchers will be appointed as your daily supervisor. Apart from daily supervision, you will interact with the other researchers on a regular basis. SIG is a dynamic, demanding, and rewarding working environment.
Students are expected to perform solid scientific work that is at the same time relevant for practitioners. You will get ample support and supervision and in return we expect you to learn fast and take responsibility for obtaining excellent results.