Supporting and automating the security assessment of software products using tools
Summary
IT security incidents are increasingly frequent, increasingly costly and increasingly dif-
ficult to prevent. To bring software security to a higher level, international standards
like the ISO/IEC 25010 have been developed to address security issues for software
quality. This standard provides a powerful framework for analysing software quality
aspects, one of which is security. Software Improvement Group (SIG) has proposed a
security product quality model that operationalises the ISO/IEC 25010.
Our work started with studying and analysing this security model. The goal was to
propose tools that could enhance and support the process of applying this model, since
currently the tool support for this is minimal and most of the work is done manually.
We broke down the process of applying the security model into steps and identified the
steps that could benefit from using tools. We proceeded in looking for already available
tools that fit our purposes, as well as in finding ways for measuring their effectiveness.
Our research did not lead us to a tool that was suitable for one of the steps of applying
the SIG security model, so we designed and implemented one. We used an internal
application of SIG as a ground truth for our tool development, and then tested it on two
real-life projects of SIG. The tests were performed by experienced technical consultants
of the company, and we used the results and their feedback to evaluate the degree of
applicability and usefulness of our tool.