Abstract

Despite the increased focus of today's research towards improving security of the cyber infrastructure, there still exists room for improvement particularly in handling security during the software development life cycle (SDLC). Developing secure software requires that the developers should address security issues as part of each phase of the software development process. Security metrics are powerful techniques that can assist software designers and developers integrate security features into their systems from the very beginning in the development lifecycle. However, it is worth mentioning that the idea of introducing such metrics in each phase of the SDLC has not appeared before. To cope with the situation, we propose a new set of technical security metrics for building secure software. The proposed metrics are aimed to address the security related parameters throughout the entire SDLC. The focus of this research is to examine the concept "Design for Security" as part of research efforts and to incorporate technical security issues related to the development of software from the very beginning in the development process. This set of metrics is further divided into subgroups where each subgroup corresponds to a particular phase of the SDLC. While describing each of these metrics, it has been specified whether a particular metric can be calculated automatically or manually. For calculating the automated metrics, we built a tool using JavaCC (Java Compiler Compiler) to do so. It takes a C/C++ source code files as input. The output of the tool is basically the automated security metrics during the implementation phase. We believe that considering these metrics will help people involved in the software development process improve their applications from the security point of view. Keywords: Software Security, Security Metrics, Software Development Lifecycle, Design for Security.