Supporting and automating the security assessment of software products using tools

Abstract

IT security incidents are increasingly frequent, increasingly costly and increasingly dif- ficult to prevent. To bring software security to a higher level, international standards like the ISO/IEC 25010 have been developed to address security issues for software quality. This standard provides a powerful framework for analysing software quality aspects, one of which is security. Software Improvement Group (SIG) has proposed a security product quality model that operationalises the ISO/IEC 25010.

Our work started with studying and analysing this security model. The goal was to propose tools that could enhance and support the process of applying this model, since currently the tool support for this is minimal and most of the work is done manually. We broke down the process of applying the security model into steps and identified the steps that could benefit from using tools. We proceeded in looking for already available tools that fit our purposes, as well as in finding ways for measuring their effectiveness.

Our research did not lead us to a tool that was suitable for one of the steps of applying the SIG security model, so we designed and implemented one. We used an internal application of SIG as a ground truth for our tool development, and then tested it on two real-life projects of SIG. The tests were performed by experienced technical consultants of the company, and we used the results and their feedback to evaluate the degree of applicability and usefulness of our tool.