{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,3,30]],"date-time":"2022-03-30T04:44:59Z","timestamp":1648615499931},"reference-count":24,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,1]]},"abstract":"Ensuring and sustaining software product integrity requires that all project stakeholders share a common understanding of the status of the product throughout the development and sustainment processes. Accurately measuring the product\u2019s status helps achieve this shared understanding. This paper presents an effective measurement model organized by seven principles that capture the fundamental managerial and technical concerns of development and sustainment. These principles guided the development of the measures presented in the paper. Data from the quantitative measures help organizational stakeholders make decisions about the performance of their overall software assurance processes. Complementary risk-based data help them make decisions relative to the assessment of risk. The quantitative and risk-based measures form a comprehensive model to assess program and organizational performance. An organization using this model will be able to assess its performance to ensure secure and trustworthy products.<\/jats:p>","DOI":"10.4018\/jsse.2013010101","type":"journal-article","created":{"date-parts":[[2013,4,9]],"date-time":"2013-04-09T19:28:15Z","timestamp":1365535695000},"page":"1-10","source":"Crossref","is-referenced-by-count":0,"title":["Principles and Measurement Models for Software Assurance"],"prefix":"10.4018","volume":"4","author":[{"given":"Nancy R.","family":"Mead","sequence":"first","affiliation":[{"name":"CERT, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA"}]},{"given":"Dan","family":"Shoemaker","sequence":"additional","affiliation":[{"name":"Department of Computer and Information Systems, College of Liberal Arts & Education, University of Detroit Mercy, Detroit, MI, USA"}]},{"given":"Carol","family":"Woody","sequence":"additional","affiliation":[{"name":"CERT, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA"}]}],"member":"2432","reference":[{"key":"jsse.2013010101-0","unstructured":"Alberts, C., Allen, J., & Stoddard, R. (2011). Risk-based measurement and analysis: Application to software security (Tech. Rep. CMU\/SEI-2011-TN-032). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University."},{"key":"jsse.2013010101-1","unstructured":"Bishop, M., & Engle, S. (2006). The software assurance CBK and university curricula. In Proceedings of the 10th Colloquium for Information Systems Security Education. Adelphi, MD: University of Maryland, University College."},{"key":"jsse.2013010101-2","author":"R. A.Clark","year":"2002","journal-title":"A national strategy to secure cyberspace"},{"key":"jsse.2013010101-3","unstructured":"Committee on National Security Systems. (2010). Instruction No. 4009. National Information Assurance Glossary. Retrieved from http:\/\/webcache.googleusercontent.com\/search?q=cache:http:\/\/www.cnss.gov\/Assets\/pdf\/cnssi_4009.pdf"},{"key":"jsse.2013010101-4","doi-asserted-by":"crossref","author":"A.Dorofee","year":"1996","journal-title":"Continuous risk management guidebook","DOI":"10.21236\/ADA319533"},{"key":"jsse.2013010101-5","unstructured":"Drew, C. (2009). Wanted: Cyber ninjas. New York Times. Retrieved December 2009 from http:\/\/www.nytimes.com\/2010\/01\/03\/education\/edlife\/03cybersecurity.html?emc=eta1"},{"key":"jsse.2013010101-6","unstructured":"Goertzel, K. M. (2009). Introduction to software security. Department of Homeland Security. Retrieved June 2011 from https:\/\/buildsecurityin.us-cert.gov\/bsi\/547.html"},{"key":"jsse.2013010101-7","author":"C.Jones","year":"2005","journal-title":"Software quality in 2005: A survey of the state of the art"},{"key":"jsse.2013010101-8","unstructured":"Jones, C. (2012). Three harmful metrics and two helpful metrics, CERM risk insights. Retrieved September 2012 from http:\/\/insights.cermacademy.com\/2012\/07\/2-three-harmful-metrics-and-two-helpful-metrics-capers-jones-careers-risk\/"},{"key":"jsse.2013010101-9","doi-asserted-by":"crossref","unstructured":"Mead, N. R. (2012). Measuring the software security requirements engineering process. In Proceedings of the IEEE Computer Systems and Applications Conference (COMPSAC), Izmir, Turkey.","DOI":"10.1109\/COMPSACW.2012.107"},{"key":"jsse.2013010101-10","doi-asserted-by":"crossref","unstructured":"Mead, N. R., Allen, J. H., Ardis, M. A., Hilburn, T. A., Kornecki, A. J., Linger, R. C., & McDonald, J. (2010). Software assurance curriculum project volume I: Master of software assurance reference curriculum (Tech. Rep. CMU\/SEI-2010-TR-005). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.","DOI":"10.21236\/ADA532578"},{"key":"jsse.2013010101-11","doi-asserted-by":"crossref","unstructured":"Mead, N. R., Hawthorne, E. K., & Ardis, M. A. (2011). Software assurance curriculum project volume IV: Community college education (Tech. Rep. CMU\/SEI-2011-TR-017). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.","DOI":"10.21236\/ADA610465"},{"key":"jsse.2013010101-12","unstructured":"Mead, N. R., Hilburn, T. B., & Linger, R. C. (2010). Software assurance curriculum project volume II: Undergraduate course outlines (Tech. Rep. CMU\/SEI-2010-TR-019). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University."},{"key":"jsse.2013010101-13","doi-asserted-by":"crossref","unstructured":"Mead, N. R., Hough, E. D., & Stehney, T. R., II. (2005). Security quality requirements (SQUARE) methodology (Tech. Rep. CMU\/SEI-2005-TR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.","DOI":"10.21236\/ADA443493"},{"key":"jsse.2013010101-14","unstructured":"Mitre. (2012). Common weakness enumeration. Mitre Corporation. Retrieved September 2012 from http:\/\/cwe.mitre.org\/"},{"key":"jsse.2013010101-15","unstructured":"Newman, M. (2002). Software errors cost U.S. economy $59.5 billion annually [Press release]. Gaithersburg, MD: National Institute of Standards and Technology (NIST)."},{"key":"jsse.2013010101-16","unstructured":"Partnership for Public Service & Booz Allen Hamilton. (2009). Cyber IN-security: Strengthening the federal cybersecurity workforce. Partnership for Public Service. Retrieved July 2009 from http:\/\/ourpublicservice.org\/OPS\/publications\/viewcontentdetails.php?id=135"},{"key":"jsse.2013010101-17","year":"2005","journal-title":"Cybersecurity: A crisis of prioritization"},{"key":"jsse.2013010101-18","author":"S. T.Redwine","year":"2006","journal-title":"Software assurance: A guide to the common body of knowledge to produce, acquire and sustain secure software, version 1.1"},{"key":"jsse.2013010101-19","unstructured":"Redwine, S. T. (2008). Toward an organization for software system security principles and guidelines (Tech. Rep. 08-01). Harrisonburg, VA: James Madison University."},{"issue":"7","key":"jsse.2013010101-20","article-title":"The protection of information in computer systems.","volume":"17","author":"J. H.Saltzer","year":"1974","journal-title":"Communications of the ACM"},{"key":"jsse.2013010101-21","unstructured":"Wikipedia. (2012a). Morris worm. Wikipedia. Retrieved September 2012 from http:\/\/en.wikipedia.org\/wiki\/Morris_worm"},{"key":"jsse.2013010101-22","unstructured":"Wikipedia. (2012b). IBM System\/370. Wikipedia. Retrieved September 2012 from http:\/\/en.wikipedia.org\/wiki\/System\/370"},{"key":"jsse.2013010101-23","doi-asserted-by":"crossref","unstructured":"Woody, C., Mead, N., & Shoemaker, D. (2012). Foundations for software assurance. In Proceedings of Hawaii International Conference on System Sciences, Maui, Hawaii.","DOI":"10.1109\/HICSS.2012.287"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=76352","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2018,11,13]],"date-time":"2018-11-13T19:16:25Z","timestamp":1542136585000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2013010101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2013,1]]},"references-count":24,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2013010101","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,1]]}}}
