Exploring The Use of Metrics For Software Assurance
Carol Woody, Ph.D.
Robert Ellison, Ph.D.
Charlie Ryan
December 2018
CERT Division
The development of this report was sponsored by the Department of Defense Cruise Missile De-
fense Systems (CMDS) Project Office. We thank James Wessel and Eileen Wrubel from the Car-
negie Mellon University Software Engineering Institute (SEI) for coordinating the funding that
allowed us to assemble and publish our research in this area and for their input as reviewers.
In addition, we thank William Richard Nichols and Timothy Chick for their support and insights
as reviewers. Also, we thank Barbara White and Sandy Shrum for providing editing support.
The Software Assurance Framework (SAF) is a collection of cybersecurity practices that pro-
grams can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess
an acquisition program’s current cybersecurity practices and chart a course for improvement, ulti-
mately reducing the cybersecurity risk of deployed software-reliant systems.
This report proposes measurements for each SAF practice that a program can select to monitor
and manage the progress it’s making toward software assurance. Metrics are needed to determine
how effectively a practice is performed and how well software assurance is addressed. This report
presents an approach for determining which SAF practices should be measured and how. It pro-
vides acquirers, program managers, and contractors with an approach for using metrics to estab-
lish confidence that the systems they plan to field will have sufficient software assurance.
There is always uncertainty about a software system’s behavior. Rather than performing exactly
the same steps repeatedly, most software components function in a highly complex networked and
interconnected system of systems that changes constantly. Measuring the design and implementa-
tion yields confidence that the delivered system will behave as specified. Determining that level
of confidence is the objective of software assurance, which is defined by the Committee on Na-
tional Security Systems (CNSS 2010)1 as
Implementing software with a level of confidence that the software functions as intended and
is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part
of the software, throughout the lifecycle.
The first challenge is evaluating whether a product’s assembled requirements define the appropri-
ate behavior. The second challenge is to confirm that the completed product, as built, fully satis-
fies the specifications for use under realistic conditions.
Determining assurance for the second challenge is an incremental process applied across the
lifecycle. There are many lifecycle approaches, but, in a broad sense, some form of requirements,
design, construction, and test is performed to define what is wanted, enable its construction, and
confirm its completion. Many metrics are used to evaluate parts of these activities in isolation, but
establishing confidence for software assurance requires considering the fully integrated solution to
establish overall sufficiency.
An additional complexity for software assurance is recognizing that software is never defect free,
and up to 5% of the unaddressed defects are vulnerabilities [Ellison 2014]. According to Jones
This same definition is applied in the National Defense Authorization Act (NDAA) of 2013 [PL 112-239, Sec.
Thus, software cannot always function perfectly as intended. How can confidence be established?
One option is to use measures that establish reasonable confidence that security is sufficient for
the operational context. Assurance measures are not absolutes, but information can be collected
that indicates whether key aspects of security have been sufficiently addressed throughout the
lifecycle to establish confidence that assurance is sufficient for operational needs.
At the start of development, much about the operational context remains undefined, and there is a
general knowledge of the operational and security risks that might arise as well as the security be-
havior that is desired when the system is deployed. This vision provides only a limited basis for
establishing confidence in the behavior of the delivered system.
Over the development lifecycle, as the details of the software and operational context incremen-
tally take shape, it is possible, with well-selected measurements, to incrementally increase confi-
dence and eventually confirm that the delivered system will achieve the level of software assur-
ance desired. When acquiring a product, if it is not possible to conduct measurement directly, the
vendor should be contacted to provide data that shows product and process confidence. Independ-
ent verification and validation should also be performed to confirm the vendor’s information.
A comparison of software and hardware reliability provides some insight into challenges for man-
aging software assurance. An evaluation of hardware reliability uses statistical measures, such as
the mean time between failures (MTBF) since hardware failures are often associated with wear
and other errors that are frequently eliminated over time. A low number of hardware failures in-
creases our confidence in a device’s reliability.
The differences between software and hardware reliability are reflected in their associated failure-
distribution curves shown in Figure 1. A bathtub curve, shown in the left graph, describes the typ-
ical failure distribution for hardware. The bathtub curve consists of three parts: a decreasing fail-
ure rate (of early failures), a constant failure rate (of random failures), and an increasing failure
rate (of wear-out failures), as wear increases the risk of failure. Software defects exist when a sys-
tem is deployed. Software’s failure distribution curve, shown in the right graph of Figure 1, re-
flects changes in operational conditions that exercise those defects as well as new faults intro-
duced by upgrades. The reduction of errors between updates can lead system engineers to make
reliability predictions for a system based on a false assumption that software is perfectible over
time. Complex software systems are never as error free as described above.
The same problem applies to software assurance. Software assurance must be engineered into the
design of a software-intensive system. Designing in software assurance requires going beyond
identifying defects and security vulnerabilities towards the end of the lifecycle (reacting) and ex-
tending to evaluating how system requirements and the engineering decisions made during design
contribute to vulnerabilities. Many known attacks are the result of poor acquisition and develop-
ment practices.
This approach to software assurance depends on establishing measures for managing software
faults across the full acquisition lifecycle. It also requires increased attention to earlier lifecycle
steps, which anticipate results and consider the verification side as shown in Figure 2. Many of
these steps can be performed iteratively with opportunities in each cycle to identify assurance lim-
itations and confirm results.
Section 2 provides insight into how measurement can be linked to practices and used as evidence
of software assurance.
Section 3 provides insights into the range of available metrics that can be collected for software
assurance practices and how the most useful ones, in a specific situation, might be selected.
Section 4 provides insights into the challenges of using lifecycle practices and suggests metrics to
support software assurance.
For example, if the system being delivered is a plane, a key mission concern is that the plane can
continue to fly and perform its mission even if it’s experiencing problems. Therefore, our stated
software assurance goal for this mission might be “mission-critical and flight-critical applications
executing on the plane or used to interact with the plane from ground stations will have low cy-
bersecurity risk.”
To establish activities that support meeting this software assurance goal, software assurance prac-
tices should be integrated into the lifecycle. The Software Assurance Framework (SAF), a base-
line of good software assurance practices for system and software engineers assembled by the
SEI, can be used to confirm the sufficiency of software assurance and identify gaps in current
lifecycle practices [Alberts 2017]. A range of evidence can be collected from these practices
across a lifecycle to establish confidence that software assurance is addressed.
Evaluation of this evidence should be integrated into the many monitoring and control steps al-
ready in a lifecycle, such as engineering design reviews, architecture evaluations, component ac-
quisition reviews, code inspections, code analyses and testing, flight simulations, milestone re-
views, and certification and accreditation. Through the analysis of the selected practices, evidence
and metrics can be generated to quantify levels of assurance, which, in turn, can be used to evalu-
ate the sufficiency of a system’s software assurance practices. A well-defined evidence-collection
process can be automated as part of a development pipeline to establish a consistent, repeatable
In this report, use of the word target refers to a goal or claim.
One form of structuring metric information is an assurance case.5 Metrics provide evidence in
support of a software assurance target based on justification of the value of the evidence (aka ar-
gument). Such evidence does not imply any kind of guarantee or certification. It is simply a way
to document rationale behind software assurance decisions. Assurance cases were originally used
to show that systems satisfy their safety-critical properties. For that use, they are called safety
cases. Effective measurements require planning to determine what to measure and analysis to de-
termine what the measures reveal as evidence in support of a target.
An assurance case is defined as a documented body of evidence that provides a convincing and valid argument
that a specified set of critical claims about a system’s properties are adequately justified for a given application
in a given environment.
Several observations about how an assurance case can be used include the following:
Creating a verification argument and identifying supporting evidence should be the expected
output of normal development activities.
An assurance case is developed incrementally. For this example, the outline of an assurance
case was developed during design. It is likely refined during implementation to satisfy verifi-
cation requirements.
Independent reviewers can evaluate the assurance argument and sufficiency of proposed or
supplied evidence throughout the development lifecycle.
Software assurance metrics are needed to evaluate both the practices in a software assurance prac-
tice area as well as the resulting assurance of the product. For example, in the SAF Engineering
practice area, the engineers must (1) know what to do, (2) actually do it, and (3) provide evidence
that what they did is sufficient.
However, there are many competing qualities (e.g., performance, safety, reliability, maintainabil-
ity, usability) an engineer must consider in addition to software assurance, and the result must
provide sufficient assurance to meet the target. Answers to the questions in Table 1 provide evi-
dence that the engineering was performed effectively. Further evidence is needed to determine if
the software assurance results based on the engineering decisions meet the target.
Trade-offs When multiple practices are available, have realistic trade-offs been made between the
effort associated with applying a technique and the improved result that is achieved? (The
improved result refers to the efficiency and effectiveness of the techniques relative to the
type of defect or weakness.)
Results applied Was engineering analysis effectively incorporated into lifecycle development?
The Goal/Question/Metric (GQM) paradigm6 can be used to establish a link between the software
assurance target and the engineering practices that should support the target. The GQM approach
was developed in the 1980s as a mechanism for structuring metrics and is a well-recognized and
widely used metrics approach.
To focus the use of GQM on software assurance, consider an example. An engineering practice
for software assurance identifies and protects the ways that a software component can be compro-
Read about the Goal Question Metric Approach on the University of Maryland website:
For each of these engineering questions, explore relevant outputs and metrics that can be used to
establish, collect, and verify appropriate evidence. Since each project is different in scope, sched-
ule, and target assurance, actual implemented choices should be the metrics that provide the great-
est utility.
Collecting measurement data starts with answering the following standard questions of who,
what, where, when, and how.
Who performs the practice(s) selected to measure? If there is direct access to who performs the
practices, it is possible to request the data. However, in many cases, the practices are performed
by contracted resources, and a deliverable must be added to performance criteria to ensure prac-
tices are performed. This addition may mean contract modifications and increased costs.
What should be collected and by whom? In some cases, the data is already available and is being
used for a related secondary purpose. It’s likely that no one is collecting the information because
it hasn’t been required, or what is being collected is imprecise or insufficiently correlated to what
must be evaluated. Are mechanisms available to collect the needed data? Are there log entries that
can be assembled or tools that can be applied to collect the data? If there is no way to collect the
data needed, a surrogate may be able to provide a close approximation of what is needed.
Where might the data be collected and how many sources should be used? How granular should
the data be? Is information needed about every line of code, every software module, every compo-
nent, or each product within the system? Or is information needed at an integration level? Is it
necessary to collect detailed data and construct the combined view, or can the data be collected at
a point where it will reflect the combinations? Is there a single point where the practice being
measured is performed, or is it spread throughout many separate steps, separate lifecycle activi-
ties, and separate contractors? Are the practices being inserted into the lifecycle, and do the meas-
urement activities need to be part of that transition? How many sources must participate to make
the measurement useful? In many cases, the volume of data may be too high for manual analysis,
and the collection process should be automated to be practical.
When should the metric be collected to be useful? If a metric is used for prediction, then it must
be part of early lifecycle activities. If it’s used for lifecycle performance verification, then it
should be part of later lifecycle activities. How frequently (e.g., daily, weekly, monthly, at the end
of a cycle, or as part of planned reviews) is this information needed? There is no reason to expend
resources to collect data more frequently than needed.
How should the information be assembled for analysis? Data is useful only if it’s analyzed, and
data analysis is time and resource intensive. Mechanisms must be in place to isolate data needed
to conduct assurance analysis from the many log files and other data repositories that potentially
contain millions of records. Data that is classified and cannot be shared with decision makers is
useless unless the analysis is framed so the decisions the data is intended to influence are ad-
dressed within the classification boundaries.
Measurement data is collected so that it can be used to influence action. Measurements can show
that work is proceeding as expected, and no action beyond continuing the current course is re-
quired. Measurements can show deviations from a desired range of performance, indicating the
need for further evaluation, possible engineering changes, or different measures because the data
does not correlate to expectations. Any of these outcomes requires knowledge of what constitutes
Who reviews the data for potential response? How do they determine what is out of acceptable
bounds and when action is required? Is there a single decision point? Or are performers at a gran-
ular level expected to (1) correct issues related to measures within a certain range and (2) notify
decision makers at the next level when those bounds are exceeded? Each selected measure can
have different responses to these questions based on how the organization chooses to implement
its decision making.
There are several possible responses to measures that are considered out of bounds. Initially, the
data should be confirmed to ensure its validity. Were the collection and submission processes fol-
lowed so that the data has integrity? Are the metrics appropriate to indicate specific action, or are
they potential warning indicators that should trigger further monitoring, data collection, and anal-
If the data is believable, then what are the potential impacts indicated by an out-of-bounds condi-
tion? There could be mission success impacts, system/product performance impacts, operational
capability impacts with future limitation implications, etc.
If the measures can be considered predictive, then what actions should be considered to prevent,
mitigate, or monitor the possible impact? If the possible impact is unacceptable, what must
change to align the predicted outcome with the desired result?
If the measures verify capability, are the conditions posed by the unexpected variance great
enough to justify rework of some or all of the system? Or will responsibility, and possibly future
change requests, be transferred to operations?
Any of the above responses requires criteria for evaluating the severity of impact and the immedi-
acy of expected response. Mechanisms for communicating the need for response to current or fu-
ture performers is also required.
Once the desired response is determined, it’s necessary to communicate to those expected to re-
spond so that they (1) know what they must do, (2) understand the expected response time, and
(3) have the proper authorization to act. How are such situations tracked to determine resolution?
Will additional measures be needed to confirm the expected outcome, or is future monitoring of
the existing measures sufficient?
It’s beneficial to periodically monitor and tune this process to improve the metrics used and the
actions that are determined and implemented based on those metrics. Also system and organiza-
tional changes can impact the metrics process.
The SAF documents practices for process management, program management, engineering, and
support. For any given software assurance target, there are GQM questions that can be linked to
each practice area and individual practice to help identify potential evidence. In this section, this
approach is used to develop an example that shows how practices in each area can be used to pro-
vide evidence in support of a software assurance target.
The SAF provides practices as a starting point for a program, based on the SEI’s expertise in soft-
ware assurance, cybersecurity engineering, and risk management. Each organization must tailor
the practices to support its specific software assurance target—possibly modifying the questions
for each relevant software assurance practice—and select a starting set of metrics for evidence
that is worth the time and effort needed to collect it.
Sub-Goal 1: Supply software to the warfighter that functions in the intended manner. (Since
this is the primary focus of every program, and volumes of material are published about it,
this sub-goal does not need to be further elaborated.)
Sub-Goal 2: Supply software to the warfighter with a minimal number of exploitable vulner-
abilities. (The remainder of this section provides a way to address this sub-goal.)
SAF-Based Questions
Using the SAF,7 the following questions should be asked to address sub-goal 2: Supply software
to the warfighter with a minimal number of exploitable vulnerabilities.
1. Process Management: Do process management activities help minimize the potential for ex-
ploitable software vulnerabilities?
1.1. Process Definition: Does the program establish and maintain cybersecurity processes?
1.2. Infrastructure Standards: Does the program establish and maintain security standards for
its infrastructure?
See Figure 3 for the SAF’s structure of practice areas.
1.4. Training: Does the program provide security training for its personnel?
2. Program Management: Do program management activities help minimize the potential for
exploitable software vulnerabilities?
2.1. Program Plans: Has the program adequately planned for cybersecurity activities?
2.3. Program Monitoring: Does the program monitor the status of cybersecurity activities?
2.4. Program Risk Management: Does the program manage program-level cybersecurity
2.5. Supplier Management: Does the program consider cybersecurity when selecting suppli-
ers and managing their activities?
3. Engineering: Do engineering activities minimize the potential for exploitable software vul-
3.1. Product Risk Management: Does the program manage cybersecurity risk in software
3.3. Architecture: Does the program appropriately address cybersecurity in its software archi-
tecture and design?
3.4. Implementation: Does the program minimize the number of vulnerabilities inserted into
its software code?
3.5. Testing, Validation, and Verification: Does the program test, validate, and verify cyber-
security in its software components?
3.6. Support Tools and Documentation: Does the program develop tools and documentation
to support the secure configuration and operation of its software components?
3.7. Deployment: Does the program consider cybersecurity during the deployment of soft-
ware components?
4. Support: Do support activities help minimize the potential for exploitable software vulnera-
4.1. Measurement and Analysis: Does the program adequately measure cybersecurity in ac-
quisition and engineering activities?
4.2. Change Management: Does the program manage cybersecurity changes to its acquisition
and engineering activities?
There are many possible metrics that could provide indicators of how well each practice in each
practice area is addressing its assigned responsibility for meeting the goal. The tables in Appen-
dices B-E provide metric options to consider when addressing the questions for each practice area
except 3.1 Product Risk Management, which, for this example, was not useful since the system
under development is the product.
There are many ways that the information provided in Appendices A-E can be used for practices,
outputs, and metrics. An organization can start with
existing practices to identify related metrics
known outputs to identify useful software assurance metrics
known attacks to identify useful practices and measures for future identification
Three examples are included in this section.
The DoD requires a program protection plan, and evidence could be collected using metrics for
engineering practices (see Figure 3, practice group 3) that show how a program is handling pro-
gram protection.
In Engineering practice area 3.2 Requirements, data can be collected to provide a basis for com-
pleting the program protection plan. Relevant software assurance data can come from require-
ments that include the following:
the attack surface
weaknesses resulting from the analysis of the attack surface, such as a threat model for the
In Engineering practice area 3.3 Architecture, data is collected to show that requirements can be
addressed. This data might include the following:
the results of an expert review by those with security expertise to determine the security ef-
fectiveness of the architecture
attack paths identified and mapped to security controls
security controls mapped to weaknesses identified in the threat modeling activities in practice
In Engineering practice area 3.5 Verification, Validation, and Testing, data can be collected to de-
termine that requirements have been confirmed and the following evidence would be useful:
percentage of security requirements tested (total number of security requirements and MLOC)
code exercised in testing (MLOC)
code surface tested (% of code exercises)
Each selected metric must have a process that establishes how data is collected, analyzed, and
evaluated based on information provided in Section 2.4 of this report.
In Engineering practice area 3.2 Requirements, the SAF includes the following practice:
A security risk assessment is an engineering-based security risk analysis that includes the at-
tack surface (those aspects of the system that are exposed to an external agent) and abuse/mis-
use cases (potential weaknesses associated with the attack surface that could lead to a compro-
mise). This activity may also be referred to as threat modeling.
A security risk assessment exhibits outputs with specificity that varies by lifecycle phase. Initial
risk assessment results might include only that the planned use of a commercial database manager
raises a specific vulnerability risk that should be addressed during detailed design. The risk as-
sessment associated with that detailed design should recommend specific mitigations to the devel-
opment team. Testing plans should cover high-priority weaknesses and proposed mitigations.
Examples of useful data related to measuring this practice and that support the software assurance
target appear in the following list:
recommended reductions in the attack surface to simplify development and reduce security
prioritized list of software security risks
prioritized list of design weaknesses
prioritized list of controls/mitigations
mapping of controls/mitigations to design weaknesses
prioritized list of issues to be addressed in test, validation, and verification
Output from reviews includes issues raised in internal reviews, review status, and evaluation plans
for software security requirements.
Analysis of the issues arising in various reviews should answer the questions shown in following
list to determine data that would be useful in evaluating progress toward the software assurance
For software security requirements, what has not been reviewed? (Examples include the num-
ber, difficulty, and criticality of “to be determined” [TBD] and “to be added” [TBA] items.)
Where are there essential inconsistencies in the analysis and/or mitigation recommendations?
(Examples include the number/percentage, difficulty, and criticality of the differences.)
Is there insufficient information for performing a proper security risk analysis? (Examples in-
clude emerging technologies and/or functionality where there is a limited history of security
exploits and mitigation.)
The assert function for the flawed software accepts two parameters: a string S and an integer N
and returns a substring of S of length N. For example, assert (“that”,3) returns tha. A vul-
nerability existed for calls where N is greater than then the length of S. For example, as-
sert(“that”,500) returns a string starting with “that” followed by 496 bytes of memory data
stored adjacent to the string that. Calls such as this one enable an attacker to view what should
be inaccessible memory contents. The input data specification that the value of N was less than or
equal to the length of the string was never verified.
The practices listed in Table 2 come from several SAF practices in the Engineering practice area
that should provide enough evidence to justify the claim that the Heartbleed vulnerability was
Threat modeling Software risk analysis identifies “input data risks with input verification” as requiring
As mentioned earlier in this report, the role of assurance metrics and data varies with the type of
assurance target. Earlier examples demonstrated that the effective use of metrics for software as-
surance in engineering practices requires coordinating data across many practices in the Engineer-
ing practice area.
Functional requirements typically (1) describe what a system should do and (2) focus on required
behavior that can be validated. Assurance requirements are more likely expressed in terms of what
a system should not do and are much more difficult (if not impossible) to confirm. However, we
should consider evaluations that show that a behavior is less likely to occur.
For example, we can verify that the authentication and authorization functions meet requirements
and that authorization is confirmed when sensitive data is accessed. However, that evidence is in-
sufficient to demonstrate assurance because only authorized users can access a data set. An at-
tacker does not need to exploit a weakness in those functions. Instead, they can use a vulnerability
in the functional software to change software performance and bypass authentication checks. In
other words, vulnerabilities enable an attack to bypass system controls. To reduce the likelihood
of this bypass occurring, practices that remove vulnerabilities are critically needed.
Many government agencies use the NIST Risk Management Framework (RMF) [NIST 2014] to
identify practices for cybersecurity that also address software assurance. These practices are in-
cluded in a contract and evaluated as part of an independent verification and validation (IV&V)
process to confirm the level of cybersecurity and software assurance risk addressed.
As an example, three areas of interest that could be combined were selected. (Additional exam-
ples are provided in Appendix A.)
1. The first area of interest is Software Flaw Remediation, which covers five RMF controls as
SI-2 Flaw Remediation
SI-2(1) Flaw Remediation | Central Management
SI-2(2) Flaw Remediation | Automated Flaw Remediation Status
SI-2(3) Flaw Remediation | Time to Remediate Flaws/Benchmarks for Corrective
SI-2(6) Flaw Remediation | Removal of Previous Versions of Software/Firmware
The same metrics could be selected to demonstrate meeting both RMF and software assur-
ance expectations from the following list:
% of vendor contracts requiring the use of evaluation practices and reporting vulnerabil-
ity metrics
code coverage (aka % of code evaluated [total and by each type of review])
vulnerabilities per MLOC identified and removed
unaddressed vulnerabilities per MLOC
% code libraries evaluated
% open source components evaluated
% legacy components evaluated
count of high-priority vulnerabilities identified and the count of those removed
2. The second area of interest is Malicious Code Protection, which covers the following four
RMF controls:
SI-3 Malicious Code Protection
SI-3(1) Malicious Code Protection | Central Management
SI-3(2) Malicious Code Protection | Automatic Updates
SI-3(10) Malicious Code Protection | Malicious Code Analysis
This area of interest is be handled by the SAF Engineering practice area 3.2 Implementation
as well. Specific metrics for these practice areas are provided in Appendix D.
3. The third area of interest is Software Supply Chain Protection, which covers the following
seven RMF controls:
SA-12 Supply Chain Protection
SA-12(1) Supply Chain Protection | Acquisition Strategies/Tools/Methods
SA-12(5) Supply Chain Protection | Limitation of Harm
SA-12(8) Supply Chain Protection | Use of All-Source Intelligence
SA-12(9) Supply Chain Protection | Operations Security
SA-12(11) Supply Chain Protection | Penetration Testing/Analysis of Elements, Pro-
cesses, and Actors
SA-22 Unsupported System Components
This area of interest is addressed by practices in SAF Project Management practice area 2.5
Supplier Management, which includes five practice activities and a range of metrics for each
practice as shown in Appendix C.
An additional 15 cybersecurity areas that map to an additional 20 RMF controls (listed in Appen-
dix A) can cross-reference to SAF practice areas and practices. These SAF practice areas and
For the DoD, milestone reviews in an acquisition lifecycle can be used to review selected metrics
and monitor how well the contractor is addressing the selected RMF controls and practices for
software assurance. As described in Sections 2 and 3 of this report, the acquirer must determine
which data to collect and how it will be evaluated to determine if the results are sufficient.
It is a common practice for a vendor to report the tools it uses to address vulnerabilities as part of
its execution pipeline. This source of evidence should map to the expected practice that this evi-
dence supports to determine how well each part of the practice is addressed. Also, all lifecycle ac-
tivities must be considered since potential vulnerabilities can be introduced at any stage of the
lifecycle. Therefore, the acquirer should not just accept what a vendor reports that it performs, but
the acquirer should also map what is reported to the needed practices and identify gaps and oppor-
tunities for improvement.
Capers Jones analyzed over 13,000 projects for the effects of general practices (e.g., inspections,
testing, and analysis) on improving software quality [Jones 2012]. His analysis shows that using a
combination of techniques is best. Many of the limitations associated with tools such as static
analysis, which have high rates of false positives and false negatives [Wedyan 2009], can be miti-
gated by other development practices.
Jones’ analysis of projects showed that a combination of inspections, static analysis, and testing
was greater than 97% efficient in identifying defects. However, these analyses address only the
identify part of SAF Engineering practice area 3.2 Implementation as part of “Evaluation practices
(e.g., code reviews and apply tools) are applied to identify and remove vulnerabilities in delivered
code (including code libraries, open source, and other reused components),” and additional ac-
tions must be performed to remove them.
The Security Development Lifecycle (SDL) encouraged other developers to include security analy-
sis earlier in the development lifecycle [Howard 2006]. Vulnerabilities created during design
should be identified and removed during risk assessments or in design and implementation. As-
surance now depends, in part, on how well a developer anticipates how a system can be compro-
mised and how well the developer chooses and implements effective mitigations. Practices that
anticipate software weaknesses are included in SAF area 3.2, as shown in Table 3.
Conduct a security risk analysis, including threat Prioritized list of software security risks
modeling and abuse/misuse cases. Prioritized list of design weaknesses
Prioritized list of controls/mitigations
Mapping of controls/mitigations to design weaknesses
Verification should guide the choice of mitigations. Can claims about a mitigation be verified? In
other words, what is the level of confidence an acquirer should have with the choice of mitiga-
tions? Creating an argument that a developer reduced or eliminated vulnerabilities (i.e., a devel-
oper’s assurance case) should start with risk analysis. The strength of the assurance argument and
its eventual verification depends, in part, on the evidence provided to support the mitigation of
software risks. An acquirer should consider the evidence that supports the following:
1. validity of the risk analysis
2. cost effectiveness of the mitigations with respect to their effects on mission outcomes
3. effective implementation of the chosen mitigations
The output of a risk assessment includes predictions of how a system can be compromised with
the risk priorities weighted by likelihood and consequences. Metrics now evaluate the engineering
analysis in items 1 and 2, while the incorporation of that engineering analysis is determined in
later lifecycle activities (item 3).
Instead of trying to confirm that the evidence provided for a practice is sufficient, instead ask why
the evidence may be insufficient or defective [Goodenough 2010]. For example, unanticipated
risks raised during a program technical review or by an independent product risk assessment re-
duce the confidence in a developer’s risk analysis. Examples of other doubts that could arise in-
clude the following:
The test plans did not include all hazards identified during design.
The web application developers had limited security experience.
The acquirer did not provide sufficient data to validate the modeling and simulations.
Integration testing did not adequately test recovery after component failures.
A developer should be able to provide evidence that confirms items 2 and 3 were addressed. For
example, assume a data flow includes an SQL database as a data store. A risk assessment does the
estimates the risk of an SQL-injection attack as described in CWE-135
describes how a successful exploit could lead to a malicious modification of data or the expo-
sure of information to individuals who are not supposed to have access to it
It is difficult to verify that a routine, even written by an experienced coder, prevents an SQL injec-
tion. A CWE-recommended mitigation is to use a vetted library or framework. Such a recommen-
dation is an engineering decision expressed as a coding rule to be enforced during implementa-
tion. The Consortium for IT: Software Quality (CISQ) states that the validation of the use of such
a library can be automated by scanning the source code and does not require the coder to have ex-
tensive security expertise [CISQ 2012]. A developer following the CISQ approach can provide an
acquirer with an assurance justification (as shown in Figure 5).
The CISQ approach, like static analysis, is based on the analysis of developed source code. How-
ever, the objective of the approach is to eliminate vulnerabilities during coding rather than identi-
fying defects after they are injected.
Confidence in reducing defects, as demonstrated by Capers Jones, depends on evidence that the
security risks and recommended mitigations were (1) considered during design and design re-
views, and during inspections; and (2) incorporated in test plans (like what was done for the SQL-
injection example).
Supply chain risk management refers to the collection of practices that manage the risks associ-
ated with the external manufacture or development of hardware and software components. There
are two sources of supply chain risks:
1. The supply chain is compromised, and counterfeit and tampered products are inserted.
For example, there was a vulnerability in a widely used implementation of the secure socket layer
protocol that was used for securing web communications. The vulnerability potentially exposed
memory data (e.g., passwords, user identification information, and other confidential information)
to unauthorized users. At the time of the announcement in 2014, there did not appear to be any
tools available that would have discovered the vulnerability [Kupsch 2014]. The vulnerability oc-
curred because the validity of the input to a software function was not verified. In all likelihood,
the defect could have been found during a code inspection, but this activity was not part of the de-
velopment process for this software.
For commercial development, most of the practices that address defects are early in the lifecycle.
The acquirer does not see the product until integration and will only be able to monitor the early
lifecycle activities through provisions in the contract. This separation is shown in Figure 6. Moni-
toring vendor development practices depends entirely on information provided by the vendor.
When the acquirer simply receives the final product at integration, it does not have direct visibil-
ity into the vendor’s development practices.
An acquirer must not only monitor a supplier’s development practices, but they must also under-
stand how that supplier monitors its suppliers. For example, how does the prime contractor reduce
supply chain risks associated with subcontractors and commercial suppliers? Supply chains can be
many layers deep, linking organizations with a wide range of defect management approaches.
Characteristics of commercial product development that can be available to an acquirer might in-
clude the following:
vulnerability history for the product as reported to the NIST National Vulnerability Database
standards that a product developer applies, such as The Open Group’s Open Trusted Technol-
ogy Provider Standard11 (O-TTPS) (ISO 20243), which uses evidence of a supplier’s capabil-
ities and product security as shown in Table 4
Evidence of Quality Supplier practices conform to best practice requirements and recommendations
Product Development primarily associated with the activities relating to the product’s development.
Evidence of Secure Providers employ a secure engineering method when designing and developing their
Development products. Software providers and suppliers often employ methods or processes with
the objective of identifying, detecting, fixing, and mitigating defects and vulnerabilities
that could be exploited as well as verifying the security and resiliency of the finished
Evidence of Supply Suppliers manage their supply chains through the application of defined, monitored,
Chain Security and validated supply chain processes.
A commercial product developer can take advantage of a relatively stable set of suppliers and
knowledge of the security risks associated with earlier versions; however, a system integrator re-
quires general knowledge that is applicable across multiple components and suppliers. Character-
istics of integrated development include the following:
integration of independently developed components with limited visibility into the actual
inconsistencies in security assumptions among components
component behavior that is dynamic over time (i.e., each component supported and updated
components that provide extensibility and customization
ongoing product upgrades
multiple components that compound threat analysis and mitigations
supply chain risk management that includes integration and product risks
While threat modeling for a product can be incrementally upgraded as functionality and threats
evolve over time, a distinct threat model must be constructed for each system by the acquirer. For
a product to be integrated into a commercial product, the supply chain must be managed by the
integrator. For the acquirer of the integrated product, visibility into how the integrator manages its
suppliers may be difficult.
The assurance discussed for custom development and for supply chain assurance were associated
with eliminating identified defects and vulnerabilities. Threat modeling attempts to reduce the risk
of vulnerabilities associated with unexpected conditions. Assurance should also be considered for
an organization’s work processes, which are based on systems working together to address a mis-
sion or business process.
A good example is the August 2003 power grid failure. Approximately 50 million electricity con-
sumers in Canada and the northeastern U.S. were subject to a cascading blackout. The events pre-
ceding the blackout included a mistake by tree trimmers in Ohio that took three high-voltage lines
out of service and a software failure (a race condition12) that disabled the computing service that
notified the power grid operators of changes in power grid conditions. With the alarm function
disabled, the power grid operators did not notice a sequence of power grid failures that eventually
lead to the blackout [NERC 2004].
The alert server was a commercial product. The integration of that component into the power
company’s system included a rollover to a second server if there was a hardware failure in the pri-
mary server. However, the software error that disabled the primary server also disabled the sec-
ondary server. This event was the first time that this software fault had been reported for the com-
mercial product.
A key observation by the technical reviewers was that the blackout would not have occurred if the
operators knew the alarm service failed. Typically, a response involves finding alternative sources
of electricity, and this response typically can be implemented in 30 minutes. Instead of analyzing
the details of the alarm server failure, the reviewers asked why the following software assurance
claim had not been met [NERC 2004]:
Claim: Power grid operators had sufficient situational awareness to manage the power grid
to meet its reliability requirements.
The reviewers proposed the following assurance case. The claim is met if one out of five of the
subclaims are satisfied.
The software failure was caused by a race condition. An error in the implementation of the software controls
that managed access to the data by multiple processes caused the alarm system to stall while processing an
event. With the software unable to complete the alarm event and move to the next one, the alarm processor
buffer filled and eventually overflowed.
A server provides alarms for condition changes. Alarm server recovery was designed for a hardware
failure. The alarm service did fail over to the secondary
server, but the software failure that disabled the pri-
mary server also disabled the backup.
Server recovery can be completed within ten minutes. The commercial system required 30 minutes for a re-
Operators are notified of the loss of the alarm server. Automatic notification of server failure was not imple-
Operators periodically check the output from contin- This practice was not done since those tools had re-
gency analysis and state estimators. peated failures in the preceding week.
An independent real-time monitor of the regional power The independent monitoring organization had concur-
grid provides alerts. rent failures.
This operational assurance case should guide the acquisition and integration of commercial power
grid software.
The Object Management Group established that software measurement relies on discrete indica-
tors to support real-world decision making. It also established that a software assurance indicator
is a metric or combination of metrics that provides useful information about the development pro-
cess, the how the project was conducted, or the characteristics of the product itself.13
A key aspect of software assurance in practice is performing activities associated with sound soft-
ware results. These activities help determine whether the software functions as intended and is
free of vulnerabilities. Experience shows that just performing what has traditionally been done for
hardware is not sufficient for software. The SAF was used as a set of software practices for ex-
ploring possible measurement options. A set of candidate metrics was identified that can connect
to some aspect of the execution of each practice in the SAF.
There are many lifecycles used to address software acquisition and development. Each SAF prac-
tice can be performed at varying points in a specific lifecycle. The level of specificity available at
each point in the lifecycle can be different. Measures taken at some points in the lifecycle are pre-
dictive, since they are connected with what is planned. Measures taken after plans are executed
can be used to verify that what was planned is what was actually performed.
Identifying a measurement for a practice by itself does not really tell us anything about software
assurance. To associate measures with software assurance, it is necessary to determine what a
measure tells us in relation to a target, but there is limited field experience in making this associa-
tion. The examples in this report were provided to demonstrate ways to navigate the various as-
pects of assurance goal, practice, and measurement in a logical structure. This report also covered
use of GQM and aspects of an assurance case to structure examples and show how measurement
can demonstrate some aspects of a practice.
The selection of a metric is only the first step in establishing a useful measurement of software as-
surance. Metric data must be collected, analyzed, and evaluated to identify potential concerns.
Measurement is not unique to software assurance. Performing sound software engineering also
includes considering measures for monitoring and controlling results. The examples in this report
explore aspects of integrating software assurance measurement into what is already being done for
other qualities instead of defining an entirely separate approach.
This report explores what is different about software assurance that must be added to what soft-
ware engineers are already doing. Based on this exploration, it is asserted that improved software
assurance depends on improved engineering. The DoD RAM guide makes that statement for relia-
bility, and the examples in this report confirm the criticality of good engineering for software as-
surance. Engineering requires that evidence is collected across the lifecycle since the product and
what can be measured changes.
6 Developer Security Testing and SA-11 Developer Security Testing 3.4 Implementation
Evaluation and Evaluation 3.5 Verification, Validation, and
4.3 Product Operation and
10 Attack Surface Reviews SA-11 (6) Developer Security 3.1 Product Risk Management
Testing and Evaluation | Attack 3.3 Architecture
Surface Reviews
3.5 Verification, Validation, and
4.3 Product Operation and
11 Software Threat Analysis SA-11(2) Developer Security 3.1 Product Risk Management
Testing and Evaluation | Threat and 4.3 Product Operation and
Vulnerability Analysis Sustainment
13 Verifying Scope of Testing and SA-11(7) Developer Security 3.5 Verification, Validation, and
Evaluation Testing and Evaluation | Verify Testing
Scope of Testing/Evaluation
15 Software Flaw Remediation SI-2 Flaw Remediation 2.4 Project Risk Management
SI-2(1) Flaw Remediation | Central 3.4 Implementation
Management 4.3 Product Operation and
SI-2(2) Flaw Remediation | Sustainment
Automated Flaw Remediation
SI-2(3) Flaw Remediation | Time to
Remediate Flaws/Benchmarks for
Corrective Actions
SI-2(6) Flaw Remediation | Removal
of Previous Versions of
16 Malicious Code Protection SI-3 Malicious Code Protection 2.4 Project Risk Management
SI-3(1) Malicious Code Protection | 3.4 Implementation
Central Management 4.3 Product Operation and
SI-3(2) Malicious Code Protection | Sustainment
Automatic Updates
SI-3(10) Malicious Code Protection |
Malicious Code Analysis
17 Software and Firmware Integrity SI-7 Software, Firmware, and 1.2 Infrastructure Standards
Information Integrity 2.5 Supplier Management
SI-7(1) Software, Firmware, and 4.3 Product Operation and
Information Integrity | Integrity Sustainment
18 Software Supply Chain SA-12 Supply Chain Protection 2.4 Project Risk Management
Protection SA-12(1) Supply Chain Protection | 2.5 Supplier Management
SA-12(5) Supply Chain Protection |
Limitation of Harm
SA-12(8) Supply Chain Protection |
Use of All-Source Intelligence
SA-12(9) Supply Chain Protection |
Operations Security
SA-12(11) Supply Chain Protection |
Penetration Testing/Analysis of
Elements, Processes, and Actors
SA-22 Unsupported System
SAF Practice Area 1.1 Process Definition: Does the program establish and
maintain cybersecurity processes?
Activities/Practices Outputs Candidate Metrics
Establish and maintain a standard Organizational Cybersecurity Poli- % of program managers trained in
set of cybersecurity policies, laws, cies cybersecurity policy
and regulations with which projects
must comply. % of senior managers trained in cy-
bersecurity policy
# of Organizational Cybersecurity
Establish and maintain tailoring Organizational Cybersecurity Tai- # and % of Organizational Cyberse-
criteria and guidelines for the loring Criteria and Guidelines curity Lifecycles with applicability
organization’s cybersecurity and tailoring guidance
processes (including lifecycle
# and % of applicable staff trained
in Organizational Cybersecurity Tai-
loring Criteria and Guidelines
Establish and maintain physical se- Organizational Physical Security % Organizational Physical Security
curity standards for physical work Standards Standards planned vs actual
spaces and facilities...
% Organizational Physical Security
Standards updated within the last
% Applicable personnel trained on
Organizational Physical Security
Standards planned vs actual
SAF Practice Area 1.3 Resources: Does the program have the cybersecurity
resources (e.g., personnel, data, assets) it needs?
Activities/Practices Outputs Candidate Metrics
Establish and maintain standard cy- Organizational Cybersecurity % processes with supporting proce-
bersecurity process assets (e.g., Process Assets dures
procedures, tools) that align with
Security Resource Repository % processes with supporting tools
processes and maintain them in a
repository. % staff trained in applicable pro-
cesses and tools
% processes changed/updated in
last 12 months
% tools changed/updated in last 12
Collect and maintain security-re- Security-Related Intelligence Data Amount of applicable attack data
lated intelligence data (e.g., attack
data, vulnerabilities, design weak- # staff (planned vs actual) responsi-
ble for collecting, organizing, and
nesses, abuse/misuse cases,
maintaining security related intelli-
gence data
Develop and document security Approved Security Features, # (planned vs actual) approved Se-
features, frameworks, and patterns. Frameworks, and Patterns curity Features, Frameworks, and
Establish and maintain guidance for Data Management System # data types
classifying data.
# classification categories
Provide specialized security experts Security Roles and Responsibilities # (planned vs actual) specialized
to assist project personnel. security experts assigned to assist
project personnel
Provide security awareness training Project Training Plan % project personnel trained
for program personnel (including
Training Products % support personnel trained
vendors, contractors, and out-
sourced workers). Vendor Contracts and Service % contractor personnel trained
Level Agreements
% contracts and service level
agreements with security aware-
ness training requirement
Provide role-based security training Project Training Plan % project personnel trained
for technical staff (including ven-
Training Products % support personnel trained
dors, contractors, and outsourced
workers). Vendor Contracts and Service % contractor personnel trained
Level Agreements
% contracts and service level
agreements with security role-
based training requirement
Track completion of security train- Program Status Reports % project personnel scheduled
ing activities.
% project personnel scheduled to
date vs completed
SAF Practice Area 2.1 Program Plans: Has the program adequately planned for
cybersecurity activities?
Attend training for developing cy- Training completed % of program managers trained in
bersecurity plans (for program man- cybersecurity planning
agers and senior managers).
% of senior managers trained in cy-
bersecurity planning
Define and document cybersecurity Published Program Plan % cybersecurity objectives defined
objectives in the Program Plan. and documented in the Program
Published System Engineering Plan
Plan or SEP vs. the applicable
number required in the organiza-
Cybersecurity objectives defined tion’s policies
and documented in the Program
Plan or SEP
Provide adequate resources to im- Required resources needed to For each category (personnel, train-
plement planned cybersecurity complete program cybersecurity ing, facilities, equipment, and tools):
tasks. roles and responsibilities are identi- % funding required vs approved
fied and provided
% personnel positions filled
Funding for required resources is
% personnel positions open
identified and provided
% training available
Training is identified, scheduled,
and provided % training procured vs developed
Training procured or developed in- % training scheduled
% training complete
Facilities identified, planned, and
provided % training complete by role
Equipment and tools identified and # facilities not yet available and
provided type
Select and implement a secure Program Processes selected, de- # and % program processes TBD
software development lifecycle veloped, documented, trained, and
(SSDL). maintained # and % program processes added,
changed, and deleted
Process tailoring guidelines devel-
# and % program processes
oped and applied
mapped to roles and responsibili-
Process waiver guidelines devel- ties
oped and applied
# and % program processes trained
% processes tailored
Define and implement a project Program Compliance Documents % project compliance planning and
compliance initiative for cybersecu- developed and maintained scheduling completed
Roles and Responsibilities as- % of project compliance planning
signed and scheduling tasks behind sched-
Program compliance planned,
scheduled, and initiated # of project compliance planning
and scheduling tasks TBD
Attend training for developing cy- Project Cybersecurity Documenta- % of program managers trained in
bersecurity plans (for program man- tion cybersecurity planning
agers and senior managers).
Training provided % of senior managers trained in cy-
bersecurity planning
Establish and maintain the physical Project Physical Security Documen- % physical security objectives im-
security of the project’s physical tation completed plemented for the project vs physi-
work spaces and facilities. cal security objectives defined and
documented in the Program Plan or
SAF Practice Area 2.3 Program Monitoring Does the program monitor the status of
cybersecurity activities?
Activities/Practices Outputs Candidate Metrics
Monitor the progress of the pro- Program Status Reports (monitor % scheduled tasks completed
ject‘s cybersecurity tasks. and control status against the Pro-
% tasks completed on schedule
gram Plan)
% tasks completed within budget
# and percent tasks 10% over
Monitor project compliance with cy- Program Compliance Documents # project compliance audits com-
bersecurity policies, laws, and regu- pleted
Program Plan
# findings per audit by category
Program Master Schedule
% findings by per audit category
Roles and Responsibilities identi-
fied and assigned # findings closed by category
# findings by category
% findings by category
# findings by category
% findings by category
Ensure that project strategies and Program Plan % program managers receiving cy-
plans address project-level cyber- bersecurity risk training
Technology Development Strategy
security risks (e.g., program risks
related to cybersecurity resources (TDS) % programs with cybersecurity re-
lated risk management plans
and funding). Analysis of Alternatives (AoA)
Identify and manage project-level Risk Management Plan % programs with cybersecurity re-
cybersecurity risks (e.g., program lated risks
Risk Repository
risks related to cybersecurity re-
sources and funding). # cybersecurity related risks
tracked per month
SAF Practice Area 2.5 Supplier Management: Does the program consider
cybersecurity when selecting suppliers and managing their activities?
Activities/Practices Outputs Candidate Metrics
Select suppliers based on their abil- Source Selection Criteria # of supplier cybersecurity related
ity to meet specified cybersecurity criteria in Source Selection Criteria
Relative raking/importance of sup-
plier cybersecurity related criteria in
Source Selection Criteria
SAF Area 3.2 Requirements: Does the program manage software security
Activities/Practices Outputs Candidate Metrics
Attend training for developing Training completed % of software engineers trained in
security requirements for software security requirements development
(for selected software engineers).
Conduct security risk analysis Prioritized list of software security Number of software security risks
(includes threat modeling and risks controlled/mitigated (e.g., high and
abuse/misuse cases). medium risks)
Prioritized list of design weak-
nesses Number of software security risks
Prioritized list of controls/mitigations
Number of software security con-
Mapping of controls/mitigations to
trols/mitigations selected for re-
design weaknesses
quirements development
Incorporate security requirements Security features in architecture Number of applicable security re-
into software architecture. (e.g., authentication, access con- quirements not implemented in
trol, encryption, and auditing) software architecture
Conduct security risk analysis of ar- Prioritized list of software architec- Number of software security risks
chitecture. ture security risks controlled/mitigated (e.g., high and
medium risks)
Prioritized list of architecture design
weaknesses Number of software security risks
Mapping of architecture security
features to design weaknesses Number of architecture design
weaknesses without security con-
List of architecture design weak-
nesses without security con-
Address design weaknesses identi- Security controls/mitigations imple- Number of architecture design
fied during architectural security mented in software architecture weaknesses without security con-
risk analysis. trols/mitigations
Conduct security reviews of soft- Security defects in software archi- Number of security defects in soft-
ware architecture (e.g., peer re- tecture identified in internal reviews ware architecture
views, inspections, and independ-
ent reviews).
Manage security changes to soft- Security change requests for soft- Number of security change re-
ware architecture. ware architecture quests for software architecture
SAF Practice Area 3.4 Implementation: Does the program minimize the number of
vulnerabilities inserted into the code?
Activities/Practices Outputs Candidate Metrics
Secure coding standards are ap- Policy that requires the use of se- % of vendor contracts including re-
plied cure coding standards quirements for the use of secure
coding standards
Contract language to ensure ven-
dor(s) practices require use of se- % of system developed using se-
cure coding standards cure coding standards
Code developers are trained in the Competency standards for code de- % of software developers trained in
use of secure coding standards velopers require training in secure secure coding standards
coding standards
% of code supported by developers
Hiring qualifications require training trained in secure coding standards
in secure coding standards
Evaluation practices (e.g. code re- Policy that requires the use of eval- % of vendor contracts requiring use
views and apply tools) are applied uation practices to identify and re- of evaluation practices and reporting
to identify and remove vulnerabili- move vulnerabilities and reporting of of vulnerability metrics
ties in delivered code (including metrics
Code coverage: % of code evalu-
code libraries, open source, and
Output of evaluations ated (total and by each type of re-
other reused components)
Corrections documented
Vulnerabilities per MLOC identified
Contract language requires use of
and removed
evaluation practices to identify and
remove vulnerabilities and metrics Unaddressed vulnerabilities per
reporting MLOC
Develop cybersecurity test cases Cybersecurity related test cases Also build off of requirements met-
based on software requirements based on software requirements, rics in addition to those provided
and risks and issues from prior risks, and prior lessons learned below.
agency/program/element experi-
Policy level and legal requirements Cybersecurity SW spec require-
included in test cases ments in test spec
% requirements covered
% requirements passed
Defect Rates
Total number of defects
Categories of defects
Criticality (Low, Med, High)
Number by Criticality
Number by Criticality over time
Number remaining open by Criti-
cality over time
Average time to correct a defect
by Criticality over time
Total Time to fix defects by cate-
gory over time
Perform a Software requirements Software requirements based test % SW requirements covered in test
based test coverage analysis coverage analysis results
Perform a Code Coverage Data Code Coverage Data Flow analysis # of code decision paths not
Flow analysis results exercised
Perform a Software structural test Software structural test coverage % of code not exercised
coverage analysis analysis results
% of code not accessible
Perform a Functional Test Cover- Functional Test Coverage analysis # functions tested
age analysis results
% functions tested
Stress Test
# functions stress tested
Test Cases
% functions stress tested
Size SW tested
Perform Peer Reviews of select test Peer Review results # products peer reviewed
products throughout the SW life cy-
cle % products peer reviewed
Perform a detailed resources analy- Resources usage analysis results % CPU Usage during peak perfor-
sis to determine system level ca- mance and stress
% memory Usage during peak per-
formance and stress
Verify coding standards have been Coding standards verification re- Number of code standard violations
followed sults Number of code standard violations
per module
SW Complexity per module
Avg. SW Complexity
% modules in each complexity cat-
Number of Memory Leaks
Number of Memory Usage Issues
Avg. Number of Memory Leaks per
Avg. Number of Memory Usage Is-
sues per SCI
Conduct cybersecurity test readi- Cybersecurity test readiness review Number of issues per Readiness
ness reviews as part of a Test results Review
Readiness Review (TRR)
An indication of extent of Bi-direc- Avg. Number of issues per Readi-
tional traceability provided between ness Review
requirements under test and test
Number of issues per Readiness
cases and test procedures in which
requirements will be verified (see Review per hour (or normalized by
some size measure)
also RTVM first row)
% SW requirements with Bi-direc-
An indication of extent of Bi-direc-
tional traceability provided between tional traceability provided between
requirements under test and test
SW requirements specs and SW
cases and test procedures in which
requirements under test (see also
RTVM first row) requirements will be verified
Perform functional and risk-based Functional and risk-based cyberse- %Safety components tested and %
cybersecurity testing for selected curity testing of the integrated sys- passed and % open over time
software components at various tem
%Mission critical components
levels of integration
Functional and risk-based cyberse- tested and % passed and % open
curity testing results at lower levels over time
of integration
# of levels of integration where
Test results at various levels of tests were performed
% levels of integration where tests
An indication of which levels of inte- were performed
gration were not tested and why
Number of functional tests and %
passed and % open
Perform operational security testing Operational security testing results Number of operational security test
for the integrated system cases completed and % passed
and % open
# of total issues by category
Red Team Assessments have been Completed Red Team Assessment # of total red team findings by
completed and results addressed results category
SW scanned for Vulnerabilities us- Identified vulnerabilities from per- Confidence levels in results catego-
ing Scanning Tools formed scans rized (very high, high, medium, low,
Scanning Tools’ Capabilities are very low)
Coverage analysis available
known % results in each confidence cate-
Dynamic/Static Analysis Dynamic/Static Analysis results gory
Developer Coverage analysis metrics TBD
% operational code scanned for
# vulnerabilities by category
# vulnerabilities by criticality
% vulnerabilities addressed by
% vulnerabilities addressed by
SAF Practice Area 4.1 Measurement and Analysis: Does the program adequately
measure cybersecurity in acquisition and engineering activities?
Define and improve cybersecurity Published Program Plan # cybersecurity measures defined
Program Status Reports # and % cybersecurity measures
Collect and analyze cybersecurity Published Program Plan # and % cybersecurity measures
measures.. collected and analyzed
Program Status Reports
SAF Practice Area 4.2 Change Management: Does the program manage
cybersecurity changes to its acquisition and engineering activities?
SAF Practice Area 4.3 Product Operation and Sustainment: Does the organization
responsible for operating and sustaining the software-reliant system manage
vulnerabilities and cybersecurity risks?
Perform detailed cybersecurity risk Operational Risk Management Plan # Cat 1 risks per month
analyses of operational systems
Operational Risk Repository # new Cat 1 risks per month
Assess cybersecurity during Maintenance Testing Results # of new defects per month
maintenance testing.
Established definition of Cat 1, 2, 3 # defects per line of code
Avg. time to close a defect
Conduct periodic penetration test- Penetration Testing Results # of vulnerabilities per month
ing of all software to identify cyber-
security vulnerabilities. Relationship to 4.3.1 above # of vulnerabilities remediated per
Conduct deep-dive penetration test- Penetration Testing Results # of vulnerabilities per month
ing of critical software to identify cy-
bersecurity vulnerabilities. Relationship to 4.3.1 above # of vulnerabilities remediated per
Run vulnerability scanning tools on Vulnerability Management Reports # of vulnerabilities per month
operational systems.
Relationship to 4.3.1 above # of vulnerabilities remediated per
Monitor the behavior of operational Software Monitoring Results # attacks per month (may need to
software/systems to identify signs be more frequent)
of attack. Relationship to 4.3.1 above
# false positive attacks per month
(may need to be more frequent)
Respond to cybersecurity incidents Incident Response Ticketing # attacks per month (may need to
as appropriate System be more frequent)
Ensure the ability to roll back to a Configuration/Change Management # times per month necessary to re-
previous version of the system System store system to operational state
when needed and maintain the ex-
Avg. time to restore system to oper-
pected level of cybersecurity.
ational state
# changes per month to Configura-
tion/Change Management System
Communicate suggested product Field Change Requests # changes per month suggested
changes or improvements related per product
to cybersecurity to the engineering Configuration/Change Management
System # changes per month accepted per
