A Survey of Metrics Employed to Assess Software Security

Abstract

Measuring and assessing software security is a critical concern as it is undesirable to develop risky and insecure software. Various measurement approaches and metrics have been defined to assess software security. For researchers and software developers, it is significant to have different metrics and measurement models at one place either to evaluate the existing measurement approaches, to compare between two or more metrics or to be able to find the proper metric to measure the software security at a specific software development phase. There is no existing survey of software security metrics that covers metrics available at all the software development phases. In this paper, we present a survey of metrics used to assess and measure software security, and we categorized them based on software development phases. Our findings reveal a critical lack of automated tools, and the necessity to possess detailed knowledge or experience of the measured software as the major hindrances in the use of existing software security metrics.