8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
1/63
Ra}i/Bg}hd Ohg}xrhohjt gjd Gjgcq}a};
G~~camgtafj tf ]fetpgrh ]hmxratq
Mlra}tf~lhr Gcbhrt}
Kxcag Gcchj
Rfbhrt ]tfddgrd
Ehbrxgrq 2>72
THMLJAMGC JFTHMOX&]HA/2>72/TJ/>>4
MHRT
^rf`rgoXjcaoathd da}trabxtafj }xbkhmt tf tlh mf~qra`lt*
ltt~;&&ppp*}ha*mox*hdx
http://www.sei.cmu.edu/http://www.sei.cmu.edu/8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
2/63
Mf~qra`lt 2>72 Mgrjh`ah Ohccfj Xjauhr}atq*
Tla} ogthragc a} bg}hd x~fj pfri exjdhd gjd }x~~frthd bq Xjathd ]tgth} Dh~grtohjt fe Dhehj}h xjdhr Mfjtrgmt Jf*
EG8/M/>>>= patl Mgrjh`ah Ohccfj Xjauhr}atq efr tlh f~hrgtafj fe tlh ]fetpgrh Hj`ajhhraj` Aj}tatxth# g ehdhrgccq
exjdhd rh}hgrml gjd dhuhcf~ohjt mhjthr }~fj}frhd bq tlh Xjathd ]tgth} Dh~grtohjt fe Dhehj}h*
Gjq f~ajafj}# eajdaj`} gjd mfjmcx}afj} fr rhmfoohjdgtafj} h|~rh}}hd aj tla} ogthragc grh tlf}h fe tlh gxtlfr,}! gjd dfjft jhmh}}gracq rhechmt tlh uahp} fe tlh Xjathd ]tgth} Dh~grtohjt fe Dhehj}h*
Tla} rh~frt pg} ~rh~grhd efr tlh
Mfjtrgmtaj` Feeamhr
H]M&MGG
2> ]laccaj` Marmch
Bxacdaj` 7=>8# =rd Ecffr
Lgj}mfo GEB# OG >70=7/2728
JF PGRRGJTQ
TLA] MGRJH@AH OHCCFJ XJAUHR]ATQ GJD ]FETPGRH HJ@AJHHRAJ@ AJ]TATXTH OGTHRAGC A]
EXRJA]LHD FJ GJ G]/A] BG]A]* MGRJH@AH OHCCFJ XJAUHR]ATQ OGIH] JF PGRRGJTAH] FE GJQ
IAJD# HATLHR H\^RH]]HD FR AO^CAHD# G] TF GJQ OGTTHR AJMCXDAJ@# BXT JFT CAOATHD TF#
PGRRGJTQ FE EATJH]] EFR ^XR^F]H FR OHRMLGJTGBACATQ# H\MCX]AUATQ# FR RH]XCT]
FBTGAJHD ERFO X]H FE TLH OGTHRAGC* MGRJH@AH OHCCFJ XJAUHR]ATQ DFH] JFT OGIH GJQ
PGRRGJTQ FE GJQ IAJD PATL RH]^HMT TF ERHHDFO ERFO ^GTHJT# TRGDHOGRI# FR MF^QRA@LT
AJERAJ@HOHJT*
Tla} ogthragc lg} bhhj g~~rfuhd efr ~xbcam rhchg}h gjd xjcaoathd da}trabxtafj h|mh~t g} rh}tramthd bhcfp*
Ajthrjgc x}h;+ ^hroa}}afj tf rh~rfdxmh tla} ogthragc gjd tf ~rh~grh dhraugtauh pfri} erfo tla} ogthragc efr ajthrjgc x}h a}
`rgjthd# ~rfuadhd tlh mf~qra`lt gjd Jf Pgrrgjtq }tgthohjt} grh ajmcxdhd patl gcc rh~rfdxmtafj} gjd dhraugtauh pfri}*
H|thrjgc x}h;+ Tla} ogthragc ogq bh rh~rfdxmhd aj at} hjtarhtq# patlfxt ofdaeamgtafj# gjd erhhcq da}trabxthd aj pratthj fr
hchmtrfjam efro patlfxt rhwxh}taj` efrogc ~hroa}}afj* ^hroa}}afj a} rhwxarhd efr gjq ftlhr h|thrjgc gjd&fr mfoohrmagc
x}h* Rhwxh}t} efr ~hroa}}afj }lfxcd bh darhmthd tf tlh ]fetpgrh Hj`ajhhraj` Aj}tatxth gt ~hroa}}afjN}ha*mox*hdx*
MHRT
a} rh`a}thrhd aj tlh X*]* gthjt gjd Trgdhogri Feeamh bq Mgrjh`ah Ohccfj Xjauhr}atq*
+ Tlh}h rh}tramtafj} df jft g~~cq tf X*]* `fuhrjohjt hjtatah}*
mailto:[email protected]:[email protected]8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
3/63
MOX&]HA/2>72/TJ/>>4 s a
Tgbch fe Mfjthjt}
Gmijfpchd`ohjt} uaaGb}trgmt a|7 Ajtrfdxmtafj 7
7*7 Thmljamgc G~~rfgml 27*2 Gxdahjmh =7*= ]trxmtxrh fe tla} Rh~frt =
2 Ohg}xrhohjt Mfjmh~t} 42*7 H}tgbca}l gjd ]x}tgaj Mfooatohjt 52*2 ^cgj Ohg}xrhohjt 52*= ^hrefro Ohg}xrhohjt 02*4 Hugcxgth Ohg}xrhohjt 02*8 Thmljamgc gjd Ogjg`hohjt ^rfmh}}h}
4 Oa}}afj Ra}i Dag`jf}tam ,ORD! 724*7 Drauhr Adhjtaeamgtafj 72
4*7*7 Oa}}afj 724*7*2 Fbkhmtauh} 7=4*7*= Drauhr} 744*7*4 Dhrauaj` g ]ht fe Drauhr} 784*7*8 G ]tgjdgrd ]ht fe Drauhr} efr ]fetpgrh ]hmxratq 784*7*5 Tgacfraj` gj H|a}taj` ]ht fe Drauhr} 75
4*2 Drauhr Gjgcq}a} 704*= Drauhr ^rfeach 2>4*4 Oa}}afj Ra}i 274*8 Tlh ORD; Ihq Tg}i} gjd ]th~} 22
8 Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE! 2=8*7 X}aj` tlh AOGE tf Darhmt Ohg}xrhohjt# Gjgcq}a}# gjd Rh~frtaj` Gmtauatah} 248*2 G~~cqaj` A]F 781=1 Ohg}xrhohjt aj gj AOGE Mfjth|t 25
5 Gddatafjgc Rh}hgrml Tg}i} 205*7 Ohg}xrh Adhjtaeamgtafj 205*2 ]tgjdgrd Og~~aj` 2
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
4/63
MOX&]HA/2>72/TJ/>>4 s a a
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
5/63
MOX&]HA/2>72/TJ/>>4 s a a a
Ca}t fe Ea`xrh}
Ea`xrh 7; Ra}i/Bg}hd Dhma}afj Ogiaj` 2Ea`xrh 2; Ohg}xrhohjt ^rfmh}} 8Ea`xrh =; Rhcgtafj}la~} gofj` Fbkhmtauh} gjd Drauhr} 78Ea`xrh 4; Drauhr Wxh}tafj gjd Rgj`h fe Rh}~fj}h} 7Ea`xrh 0; Drauhr ^rfeach 27Ea`xrh ; AOGE ]mhjgraf 28Ea`xrh 77; Tlh AOGE aj gj A]F 781=1 Ohg}xrhohjt Mfjth|t 25Ea`xrh 72; Caji erfo Oa}}afj tf Ohg}xrh} ,Mfjmh~txgc Uahp! 20Ea`xrh 7=; ]tgjdgrd Og~~aj` ,Mfjmh~txgc Uahp! 2Ea`xrh 78; Tlh AOGE Rhua}athd ==
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
6/63
MOX&]HA/2>72/TJ/>>4 s a u
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
7/63
MOX&]HA/2>72/TJ/>>4 s u
Ca}t fe Tgbch}
Tgbch 7; Drauhr ]tgth} 74Tgbch 2; ^rftftq~h ]ht fe Drauhr Wxh}tafj} efr ]fetpgrh ]hmxratq 75Tgbch =; Tlh ORD; Ihq Tg}i} gjd ]th~} 22
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
8/63
MOX&]HA/2>72/TJ/>>4 s u a
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
9/63
MOX&]HA/2>72/TJ/>>4 s u a a
Gmijfpchd`ohjt}
Tlh gxtlfr} tlgji Grmlah Gjdrhp}# Mgrfc Pffdq# gjd Dguh [xbrfp efr tlhar }~fj}fr}la~ gjd
}x~~frt fe tla} pfri* Ph tlgji Ratg Mrhhc gjd Gxdrhq Dfrfehh efr tlhar mgrhexc thmljamgc rhuahp
fe tla} dfmxohjt gjd tlhar tlfx`ltexc mfoohjt}* Ph gc}f tlgji Gxdrhq Dfrfehh efr lhr thmljamgc
mfjtrabxtafj tf tlh dhuhcf~ohjt fe tlh Oa}}afj Ra}i Dag`jf}tam g} ~grt fe tlh ]HA} Oa}}afj
]xmmh}} aj Mfo~ch| Hjuarfjohjt} ,O]MH! }~hmagc ~rfkhmt* Ph pfxcd gc}f caih tf tlgji Gch|g
Lxtl efr hdataj` tla} dfmxohjt* Eajgccq# tlh gxtlfr} tlgji tlh ]HA} MHRT
^rf`rgo efr
~rfuadaj` tlh exjdaj` tf mfjdxmt tla} rh}hgrml heefrt*
MHRT a} g rh`a}thrhd ogri fpjhd bq Mgrjh`ah Ohccfj Xjauhr}atq*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
10/63
MOX&]HA/2>72/TJ/>>4 s u a a a
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
11/63
MOX&]HA/2>72/TJ/>>4 s a |
Gb}trgmt
Efr }huhrgc qhgr}# tlh }fetpgrh hj`ajhhraj` mfooxjatq lg} bhhj pfriaj` tf adhjtaeq ~rgmtamh}
gaohd gt dhuhcf~aj` ofrh }hmxrh }fetpgrh* Gctlfx`l }foh efxjdgtafjgc pfri lg} bhhj
~hrefrohd# heefrt} tf ohg}xrh }fetpgrh }hmxratq g}}xrgjmh lguh qht tf ogthragca{h aj gjq
}xb}tgjtauh eg}lafj* G} g rh}xct# dhma}afj ogihr} ,h*`*# dhuhcf~ohjt ~rf`rgo gjd ~rfkhmt
ogjg`hr}# gmwxa}atafj ~rf`rgo feeamh}! cgmi mfjeadhjmh aj tlh }hmxratq mlgrgmthra}tam} fe tlhar
}fetpgrh/rhcagjt }q}tho}* Tlh MHRT
^rf`rgo gt Mgrjh`ah Ohccfj Xjauhr}atq} ]fetpgrh
Hj`ajhhraj` Aj}tatxth ,]HA! lg} mlgrthrhd tlh ]fetpgrh ]hmxratq Ohg}xrhohjt gjd Gjgcq}a}
,]]OG! rfkhmt tf gdugjmh tlh }tgth/fe/tlh/~rgmtamh aj }fetpgrh }hmxratq ohg}xrhohjt gjd
gjgcq}a}* Tlh ]]OG ^rfkhmt a} h|~cfraj` lfp tf x}h ra}i gjgcq}a} tf darhmt gj fr`gja{gtafj}
}fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a} heefrt}* Tlh fuhrgrmlaj` fgc a} tf dhuhcf~ g ra}i/
bg}hd g~~rfgml efr ohg}xraj` gjd ofjatfraj` tlh }hmxratq mlgrgmthra}tam} fe ajthrgmtauhcq mfo~ch|
}fetpgrh/rhcagjt }q}tho} gmrf}} tlh caehmqmch gjd }x~~cq mlgaj* Tf gmmfo~ca}l tla} fgc# tlh
~rfkhmt thgo lg} dhuhcf~hd tlh ]HA Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE!
gjd rheajhd tlh ]HA Oa}}afj Ra}i Dag`jf}tam ,ORD!* Tla} rh~frt a} gj x~dgth tf tlh thmljamgc
jfth#Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri efr ]fetpgrh ]hmxratq ,MOX&]HA/2>7>/
TJ/>28!# ~xbca}lhd aj ]h~thobhr 2>7>* Tla} rh~frt ~rh}hjt} tlh efxjdgtafjgc mfjmh~t} fe g ra}i/
bg}hd g~~rfgml efr }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a} gjd ~rfuadh} gj fuhruahp fe tlh
AOGE gjd tlh ORD*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
12/63
MOX&]HA/2>72/TJ/>>4 s |
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
13/63
MOX&]HA/2>72/TJ/>>4 s 7
7 Ajtrfdxmtafj
Ogjq fr`gja{gtafj} ohg}xrh kx}t efr tlh }gih fe ohg}xraj`# patl cattch fr jf tlfx`lt `auhj tf plgt
~xr~f}h gjd bx}ajh}} fbkhmtauh} grh bhaj` }gta}eahd fr plgt wxh}tafj} hgml ohg}xrh a} ajthjdhd tf
gj}phr* Lfphuhr# ohgjaj`exc ohg}xrhohjt a} gbfxt trgj}efroaj` }trgth`am darhmtafj# ~fcamq# gjd
ftlhr efro} fe ogjg`hohjt dhma}afj ajtf gmtafj gjd ohg}xraj` tlh ~hrefrogjmh fe tlgt gmtafj*
Heehmtauh ohg}xrh} h|~rh}} tlh h|thjt tf plaml fbkhmtauh} grh bhaj` oht# lfp phcc rhwxarhohjt}
grh bhaj` }gta}eahd# lfp phcc ~rfmh}}h} gjd mfjtrfc} grh exjmtafjaj`# gjd tlh h|thjt tf plaml
~hrefrogjmh fxtmfoh} grh bhaj` gmlahuhd* Tlh bg}am fgc fe ohg}xrhohjt gjd gjgcq}a} a} tf
~rfuadh dhma}afj ogihr} patl tlh ajefrogtafj tlhq jhhd# plhj tlhq jhhd at# gjd aj tlh ra`lt efro*
Aj rhmhjt qhgr}# rh}hgrmlhr} lguh bh`xj tf txrj tlhar gtthjtafj tf tlh tf~am fe }fetpgrh }hmxratq
g}}xrgjmh gjd lfp tf ohg}xrh at*
]fetpgrh }hmxratq g}}xrgjmh a} kx}taeahd mfjeadhjmh tlgt }fetpgrh/rhcagjt }q}tho} grh gdhwxgthcq
~cgjjhd# gmwxarhd# bxact# gjd eahcdhd patl }xeeamahjt }hmxratq tf ohht f~hrgtafjgc jhhd}# huhj aj tlh~rh}hjmh fe gttgmi}# egacxrh}# gmmadhjt}# gjd xjh|~hmthd huhjt}* Efr }huhrgc qhgr}# ugrafx} rfx~}
patlaj tlh }fetpgrh hj`ajhhraj` mfooxjatq lguh bhhj pfriaj` daca`hjtcq tf adhjtaeq ~rgmtamh}
gaohd gt dhuhcf~aj` ofrh }hmxrh }fetpgrh* Lfphuhr# heefrt} tf ohg}xrh }fetpgrh }hmxratq
g}}xrgjmh lguh qht tf ogthragca{h aj gjq }xb}tgjtauh eg}lafj# gctlfx`l }foh efxjdgtafjgc pfri
lg} bhhj ~hrefrohd*
G} g rh}xct fe tlh }fetpgrh hj`ajhhraj` mfooxjatq} ajthrh}t# tlh MHRT
^rf`rgo gt Mgrjh`ah
Ohccfj Xjauhr}atq} ]fetpgrh Hj`ajhhraj` Aj}tatxth ,]HA! mlgrthrhd tlh ]fetpgrh ]hmxratq
Ohg}xrhohjt gjd Gjgcq}a} ,]]OG! rfkhmt aj Fmtfbhr 2>>1 tf gdugjmh tlh }tgth/fe/tlh/~rgmtamh
rhcgthd aj }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a}* Tlh ]]OG^rfkhmt bxacd} fj tlh MHRT
^rf`rgo} mfrh mfo~hthjmq aj }fetpgrh gjd ajefrogtafj }hmxratq g} phcc g} tlh ]HA} pfri aj}fetpgrh hj`ajhhraj` ohg}xrhohjt gjd gjgcq}a}* Tlh ~xr~f}h fe tla} jhp rh}hgrml ~rfkhmt a} tf
gddrh}} tlh efccfpaj` tpf wxh}tafj};
7* Lfp df ph h}tgbca}l# }~hmaeq# gjd ohg}xrh kx}taeahd mfjeadhjmh tlgt ajthrgmtauhcq mfo~ch|
}fetpgrh/rhcagjt }q}tho} grh }xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd}6
2* Lfp df ph ohg}xrh gt hgml ~lg}h fe tlh dhuhcf~ohjt fr gmwxa}atafj caeh mqmch tlgt tlh
rhwxarhd&dh}arhd chuhc fe }hmxratq lg} bhhj gmlahuhd6
Aj h}}hjmh# tlh tpf rh}hgrml wxh}tafj} h|goajh lfp dhma}afj ogihr} ,efr h|go~ch# dhuhcf~ohjt
~rf`rgo gjd ~rfkhmt ogjg`hr} g} phcc g} gmwxa}atafj ~rf`rgo feeamhr}! mgj ohg}xrh gjd ofjatfr
tlh }hmxratq mlgrgmthra}tam} fe ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt }q}tho} gmrf}} tlh caeh mqmch
gjd }x~~cq mlgaj* Tla} rh~frt a} ~raogracq efmx}hd fj gj}phraj` tlh ear}t rh}hgrml wxh}tafj*
MHRT a} g rh`a}thrhd ogri fpjhd bq Mgrjh`ah Ohccfj Xjauhr}atq*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
14/63
MOX&]HA/2>72/TJ/>>4 s 2
7*7 Thmljamgc G~~rfgml
Tf gj}phr tlh ear}t rh}hgrml wxh}tafj# ph grh ~rf~f}aj` tf x}h ra}i gjgcq}a} g} g ohgj} fe
darhmtaj` gj fr`gja{gtafj} }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a} heefrt}* Tla} mfjmh~t a}
}lfpj aj Ea`xrh 7* Mfj}adhr tlh }~hmaeam h|go~ch plhrh tlh dhma}afj ogihr a} gj gmwxa}atafj
~rf`rgo ogjg`hr* Erfo g }fetpgrh }hmxratq ~hr}~hmtauh# tlh ~rf`rgo ogjg`hr pgjt} tf h}tgbca}l
g rhg}fjgbch dh`rhh fe mfjeadhjmh tlgt tlh }fetpgrh ~rfdxmt bhaj` gmwxarhd gjd dhuhcf~hd pacc bh
}xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd}* Aj ftlhr pfrd}# tlh ~rf`rgo ogjg`hr a} ajthrh}thd aj
h}tgbca}laj` }foh bhjmlogri fe }fetpgrh }hmxratq g}}xrgjmh*
Ea`xrh 7; Ra}i/Bg}hd Dhma}afj Ogiaj`
Ra}i gjgcq}a} a} fjh g~~rfgml tlgt mgj bh x}hd tf h}tgbca}l }fetpgrh }hmxratq g}}xrgjmh efr g
}fetpgrh ~rfdxmt* Ae tlh }hmxratq ra}i tf tlh dh~cfqhd }fetpgrh ~rfdxmt a} ih~t patlaj gj gmmh~tgbch
tfchrgjmh# tlhj tlh ogjg`hr pacc lguh g rhg}fjgbch dh`rhh fe mfjeadhjmh tlgt tlh }fetpgrh ~rfdxmt
a} }xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd} ,a*h*# rhg}fjgbch g}}xrgjmh!* Gj ajuhr}hrhcgtafj}la~ h|a}t} bhtphhj ra}i gjd g}}xrgjmh; G} ra}i a} rhdxmhd# tlh dh`rhh fe g}}xrgjmh
ajmrhg}h} ~rf~frtafjgccq ,gjd uamh uhr}g!*
Ea`xrh 7 }lfp} tlgt ra}i gjgcq}a} ~rfuadh} tlh ~rf`rgo ogjg`hr patl gj xjdhr}tgjdaj` fe tlh
~rf`rgo} mxrrhjt ra}i} gjd xjmhrtgajtah}* G ra}i gjgcq}a} mgj ~rfuadh tlh ogjg`hr patl gj
ajdamgtafj fe plhtlhr fr jft tlh ~rf`rgo a} fj trgmi efr }xmmh}}* Lfphuhr# xjmhrtgajtah} rhechmt
marmxo}tgjmh} plhrh tlhrh grh ijfpj `g~} aj tlh xjdhrcqaj` dgtg fr plhrh tlh dgtg mfcchmthd grh
jft exccq trx}thd* G} g rh}xct# xjmhrtgajtah} ~rfuadh tlh ~rf`rgo ogjg`hr patl gj f~~frtxjatq tf
mfcchmt gddatafjgc dgtg aj frdhr tf rhdxmh tlh dh`rhh fe dhma}afj/ogiaj` xjmhrtgajtq ajlhrhjt aj tlh
mxrrhjt }atxgtafj*
Tlh ~rf`rgo ogjg`hr mgj tlhj x~dgth la} fr lhr dhma}afj/ogiaj` jhhd} fr rhwxarhohjt} bg}hd fj
tlh fgc fe rhdxmaj` xjmhrtgajtq* Tlh dhma}afj/ogiaj` jhhd} fr rhwxarhohjt} grh tlhj trgj}cgthd
ajtf rhua}hd ajefrogtafj jhhd} tlgt grh x}hd tf adhjtaeq gddatafjgc dgtg tlgt jhhd tf bh mfcchmthd*
Tlh}h dgtg mgj bh mfcchmthd x}aj` g ugrahtq fe ohmlgja}o}# ajmcxdaj` g}}h}}ohjt}# }tgtx}
rh~frtaj`# gjd ohg}xrhohjt* Fuhr taoh# tlh rhdxmtafj aj xjmhrtgajtq rh}xctaj` erfo jhp dgtg tlgt
grh mfcchmthd# gjgcq{hd# gjd rh~frthd }lfxcd ~rfuadh dhma}afj ogihr} patl ofrh mcgratq rh`grdaj`
}q}tho ~hrefrogjmh* G} g rh}xct# tlh rhdxmtafj aj xjmhrtgajtq hjgbch} bhtthr dhma}afj ogiaj`
bg}hd fj ofrh fbkhmtauh dgtg*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
15/63
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
16/63
MOX&]HA/2>72/TJ/>>4 s 4
2 Ohg}xrhohjt Mfjmh~t}
Tlh ]HA lg} hj`g`hd aj }fetpgrh hj`ajhhraj` ohg}xrhohjt gjd gjgcq}a} efr ogjq qhgr}# gjd ph
drhp erfo tla} bfdq fe ijfpchd`h tf ajefro tlh ]]OG rh}hgrml ~rfkhmt gjd tla} rh~frt*
Ohg}xrhohjt gjd gjgcq}a} ajufcuh} gtlhraj` wxgjtatgtauh dgtg gbfxt ~rfdxmt}# ~rfmh}}h}# gjd
~rfkhmt} gjd gjgcq{aj` tlgt dgtg tf ajecxhjmh gmtafj} gjd ~cgj}* Ohg}xrhohjt gjd gjgcq}a}
gmtauatah} gccfp dhma}afj ogihr} tf gmlahuh tlh efccfpaj` fxtmfoh} Y^gri 7115# ]HA 2>7>_;
mlgrgmthra{h# tf `gaj gj xjdhr}tgjdaj` fe ~rfmh}}h}# ~rfdxmt}# rh}fxrmh}# gjd hjuarfjohjt}
gjd tf h}tgbca}l bg}hcajh} efr mfo~gra}fj} patl extxrh g}}h}}ohjt}
hugcxgth# tf dhthroajh tlh mxrrhjt }tgtx} patl rh}~hmt tf ~cgj}
~rhdamt# bq xjdhr}tgjdaj` rhcgtafj}la~} gofj` ~rfmh}}h} gjd ~rfdxmt} gjd bxacdaj` ofdhc}
fe tlh}h rhcgtafj}la~}# }f tlgt tlh ugcxh} fb}hruhd efr }foh gttrabxth} mgj bh x}hd tf ~rhdamt
ftlhr}
ao~rfuh# bq adhjtaeqaj` rfgdbcfmi}# rfft mgx}h}# ajheeamahjmah}# gjd ftlhr f~~frtxjatah} efrao~rfuaj` ~rfdxmt wxgcatq gjd ~rfmh}} ~hrefrogjmh
Ogjq dheajatafj} efr tlh thro ohg}xrhohjth|a}t* Efr tla} ~rfkhmt# ph lguh gdf~thd tlh efccfpaj`
dheajatafj; g }ht fe fb}hrugtafj} tlgt rhdxmh xjmhrtgajtq plhrh tlh rh}xct a} h|~rh}}hd g} g wxgjtatq
YLxbbgrd 2>>0_* Efr ohg}xrhohjt tf lguh gj ao~gmt# at ox}t geehmt tlh bhlguafr fe dhma}afj
ogihr}* Ae dhma}afj} grh jft ajecxhjmhd bq ohg}xrhohjt gmtauatah}# tlhj ohg}xrhohjt ~rfuadh} jf
gddhd ugcxh YLxbbgrd 2>>0_*
G ~rfmh}} efr ohg}xrhohjt gjd gjgcq}a} dheajh}# ao~chohjt}# gjd }x}tgaj} g ohg}xrhohjt
mg~gbacatq# hj}xraj` tlgt tlh ajefrogtafj jhhd} fe dhma}afj ogihr} grh }gta}eahd* Efr tlh ~xr~f}h fe
tla} rh}hgrml ~rfkhmt gjd rh~frt# gj fr`gja{gtafjgc hjtatq ogq bh fe g }a{h gjd mfo~ch|atq rgj`aj`
erfo g }aj`ch fr`gja{gtafj x~ tf gjd ajmcxdaj` oxcta~ch# ajdh~hjdhjtcq ogjg`hd fr`gja{gtafj}
tlgt grh pfriaj` mfccgbfrgtauhcq tf gmlahuh g mfoofj oa}}afj ,h*`*# g cfbgc }x~~cq mlgaj!*
Ohg}xrhohjt gmtauatah} gjd tlhar rhcgtafj}la~} grh }lfpj aj Ea`xrh 2# plaml a} gdg~thd erfo
A]F&AHM 781=1;2>>0]q}tho} gjd ]fetpgrh Hj`ajhhraj` Ohg}xrhohjt rfmh}} YA]F 2>>0_* G
uhr}afj fe tla} ea`xrh gc}f g~~hgr} aj ^rgmtamgc ]fetpgrh Ohg}xrhohjt; Fbkhmtauh Ajefrogtafj efr
Dhma}afj Ogihr} YOm@grrq 2>>2_* Gj heehmtauh ohg}xrhohjt ~rfmh}}# }xml g} tlh fjh accx}trgthd
aj Ea`xrh 2# h|labat} tlh efccfpaj` mlgrgmthra}tam} YA]F 2>>0_;
Mfooatohjt efr ohg}xrhohjt a} h}tgbca}lhd gjd }x}tgajhd gmrf}} tlh fr`gja{gtafjgc hjtatq*
Tlh ajefrogtafj jhhd} fe dhma}afj ogihr}# gjd tlh thmljamgc gjd ogjg`hohjt ~rfmh}}h} tlgt
}x~~frt tlho# grh adhjtaeahd*
Gj g~~rf~ragth }ht fe ohg}xrh} drauhj bq tlh ajefrogtafj jhhd} grh adhjtaeahd gjd&fr
dhuhcf~hd*
Ohg}xrhohjt gmtauatah} grh adhjtaeahd*
Adhjtaeahd ohg}xrhohjt gmtauatah} grh ~cgjjhd*
Tlh rhwxarhd dgtg grh mfcchmthd# }tfrhd# gjd gjgcq{hd# gjd tlh rh}xct} grh ajthr~rhthd*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
17/63
MOX&]HA/2>72/TJ/>>4 s 8
Ajefrogtafj ~rfdxmt} grh x}hd tf }x~~frt dhma}afj} gjd ~rfuadh gj fbkhmtauh bg}a} efr
mfooxjamgtafj*
Tlh ohg}xrhohjt ~rfmh}} gjd ohg}xrh} grh hugcxgthd*
Ao~rfuhohjt} adhjtaeahd tlrfx`l hugcxgtafj gjd x}h fe tlh ohg}xrhohjt ~rfmh}} gjd
ohg}xrh} grh mfooxjamgthd tf tlh ohg}xrhohjt ~rfmh}} fpjhr*
Thmljamgc gjdOgjg hohjt
rfmh}}h}
X}hr ehhdbgmi
H}tgbca}l gjd
]x}tgaj
Mfooatohjt
cgj
Ohg}xrhohjt
hrefro
Ohg}xrhohjt
HugcxgthOhg}xrhohjt
Mfrh Ohg}xrhohjt Gmtauatah}
Ajefrogtafj ~rfdxmt}
Ajefrogtafj jhhd}
Ao~rfuhohjt}
Ajefrogtafj ~rfdxmt}hrefrogjmh ohg}xrh}
MfooatohjtOhg}xrhohjt ~cgj
Jhp a}}xh}
Rhwxarhohjt} efrohg}xrhohjt
Ea`xrh 2; Ohg}xrhohjt ^rfmh}}
Fxr rh}hgrml g`hjdg og~} tf tlh mfrh ohg}xrhohjt gmtauatah} dh~amthd aj Ea`xrh 2 ,~cgj
ohg}xrhohjtgjd~hrefro ohg}xrhohjt!* Aj ]hmtafj 7 fe tla} rh~frt# ph la`lca`lthd tlh tpf
wxh}tafj} tlgt ph ajthjd tf gj}phr plhj mfjdxmtaj` tla} rh}hgrml ~rfkhmt* Tlh ear}t wxh}tafj a};
Lfp df ph h}tgbca}l# }~hmaeq# gjd ohg}xrh kx}taeahd mfjeadhjmh tlgt ajthrgmtauhcq mfo~ch|
}fetpgrh/rhcagjt }q}tho} grh }xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd}6 Tla} wxh}tafj og~} tf
tlh~cgj ohg}xrhohjtgmtauatq erfo Ea`xrh 2* Tla} rh~frt a} ~raogracq efmx}hd fj gj}phraj` tla}
wxh}tafj bq dh}mrabaj` gj g~~rfgml efr ~cgjjaj` ohg}xrhohjt gmtauatah}*
Fxr }hmfjd rh}hgrml wxh}tafj a}; Lfp df ph ohg}xrh gt hgml ~lg}h fe tlh dhuhcf~ohjt fr
gmwxa}atafj caeh mqmch tlgt tlh rhwxarhd&dh}arhd chuhc fe }hmxratq lg} bhhj gmlahuhd6 Wxh}tafj tpf
a} efmx}hd fj lfp tf mfjdxmt ohg}xrhohjt gmtauatah} dxraj` hgml caehmqmch ~lg}h* G} g rh}xct#
wxh}tafj tpf og~} tf tlh~hrefro ohg}xrhohjtgmtauatq fe Ea`xrh 2* Plach fxr mxrrhjt pfri fjcq
tfxmlh} x~fj tlh }hmfjd rh}hgrml wxh}tafj# fxr extxrh rh}hgrml gjd dhuhcf~ohjt gmtauatah} pacc
efmx} fj gddrh}}aj` tla} rh}hgrml wxh}tafj gjd dh}mrabaj` gj g~~rfgml efr ~hrefroaj`
ohg}xrhohjt gmtauatah}* G} fxr rh}hgrml ~rfkhmt ~rf`rh}}h}# ph ajthjd tf gddrh}} gcc efxr
ohg}xrhohjt/rhcgthd gmtauatah} erfo Ea`xrh 2 ,h}tgbca}l gjd }x}tgaj mfooatohjt# ~cgj
ohg}xrhohjt# ~hrefro ohg}xrhohjt# gjd hugcxgth ohg}xrhohjt!*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
18/63
MOX&]HA/2>72/TJ/>>4 s 5
Tlh ohg}xrhohjt gjd gjgcq}a} gmtauatah} dh~amthd aj Ea`xrh 2 grh brahecq dh}mrabhd aj tlh
rhogajdhr fe tla} }hmtafj }f tlgt~cgj ohg}xrhohjtgjd~hrefro ohg}xrhohjtgrh ~rh}hjthd aj tlh
mfjth|t fe tlh excc ~rfmh}}*7
2*7 H}tgbca}l gjd ]x}tgaj Mfooatohjt
Ohg}xrhohjt gjd gjgcq}a} mgjjft }xmmhhd patlfxt ogjg`hohjt gjd }tgihlfcdhr mfooatohjt#
bftl x~ erfjt g} tlh ohg}xrhohjt gjd gjgcq}a} ~rfmh}} a} bhaj` }mf~hd gjd dheajhd gjd fj gj
fj`faj` bg}a} g} tlh ~rfmh}} a} ao~chohjthd* ]tgihlfcdhr mfooatohjt rhwxarh} g }~fj}fr plf
hj}xrh} tlgt dhma}afj ogihr} gjd ihq }tgihlfcdhr} grh exccq hj`g`hd* Tlh }~fj}fr pfri} patl
ohg}xrhohjt }tgihlfcdhr} tf
gccfmgth tlh rh}fxrmh} jhmh}}grq tf h|hmxth gcc ~rfmh}} gmtauatah} fj g }x}tgajaj` bg}a}
x}h tlh ohg}xrhohjt rh~frt} tlgt rh}xct erfo tlh ~rfmh}}
adhjtaeq ao~rfuhohjt} tlgt pacc ogih rh}xct} of}t x}hexc efr ajefroaj` ihq dhma}afj}
Gddatafjgccq# g `rg}}rfft} mfooatohjt tf h}tgbca}laj` gjd }x}tgajaj` ohg}xrhohjt ox}t h|a}t aj
tlh }hj}h tlgt hgml ajdauadxgc aj tlh fr`gja{gtafj ehhc} erhh tf ~rfuadh gmmxrgth gjd taohcq dgtg* Tfgmlahuh }xml g `rg}}rfft} mfooatohjt# fr`gja{gtafj} ox}t rhmf`ja{h tlh ~}qmlfcf`q fe
ohg}xrhohjt gjd gddrh}} gjq aj}tatxtafjgc bgrrahr} tf g mfo~rhlhj}auh ohg}xrhohjt gjd gjgcq}a}
heefrt* Ajdauadxgc} gjd ~rfkhmt `rfx~} ox}t uahp ohg}xrhohjt g} g ~f}atauh gjd ~xr~f}hexc
gmtauatq tlgt a} dh}hruaj` fe tlh xtof}t da}ma~cajh gjd wxgcatq* Gddatafjgc ~fcamah} tlgt ogq bh
pgrrgjthd ajmcxdh }xeeamahjt dgtg }hmxratq gjd x}g`h mfjtrfc}# }fohtaoh} ajmcxdaj` g ohg}xrhohjt
mfdh fe htlam} tf bh }a`jhd bq gcc ogjg`hr}# dgtg mx}tfdagj}# gjd ftlhr x}hr} fe tlh dgtg
rh~f}atfrq*
2*2 ^cgj Ohg}xrhohjt
Tlh~cgj ohg}xrhohjtgmtauatq hjmfo~g}}h} ,7! tlh adhjtaeamgtafj fe ajefrogtafj jhhd} efr
dhma}afj ogihr} gjd ,2! tlh }hchmtafj gjd dheajatafj fe g~~rf~ragth ohg}xrh} tf gddrh}} tlf}hjhhd}* G} dheajhd aj tla} rh~frt# g ohg}xrh a} g ugragbch tf plaml g ugcxh a} g}}a`jhd g} tlh rh}xct
fe ohg}xrhohjt YA]F 2>>0_* cgjjaj` efr ohg}xrhohjt mfj}adhr} g ~rfkhmt} fgc}# mfj}trgajt}#
ra}i}# gjd a}}xh} fr ~rfbcho}* Ajefrogtafj jhhd} mgj bh dhrauhd erfo }fmahtgc# ~fcatamgc#
hjuarfjohjtgc# hmfjfoam# bx}ajh}}# fr`gja{gtafjgc# rh`xcgtfrq# thmljfcf`amgc# ~rfdxmt# gjd
~rf`rgoogtam fbkhmtauh}*
Efr tlh ~xr~f}h fe tla} rh}hgrml ~rfkhmt# tlh }mf~h fe ajefrogtafj jhhd} gjd tlh dhma}afj} tlhq
ajefro grh ajthjdhd tf mfuhr g padh rgj`h fe mfjth|t} efr tlh ohg}xrhohjt gjd gjgcq}a} fe
}fetpgrh }hmxratq# ajmcxdaj`
g }aj`ch/}fetpgrh g~~camgtafj# g }ht fe g~~camgtafj}# g }fetpgrh/rhcagjt }q}tho# gjd g }q}tho fe
}q}tho} }fetpgrh gjd }q}tho} tlgt grh bhaj` dhuhcf~hd fr gmwxarhd
}fetpgrh gjd }q}tho} aj f~hrgtafj# ajmcxdaj` tlh ofdaeamgtafj fe h|a}taj` }q}tho} gjd tlh
gddatafj fe jhp }fetpgrh gjd }q}tho}
}aj`ch fr`gja{gtafj} gjd oxcta~ch fr`gja{gtafj} mfccgbfrgtaj` tf gmlahuh g kfajt oa}}afj
7G dhtgachd dh}mra~tafj fe hgml ohg}xrhohjt gjd gjgcq}a} gmtauatq a} gugacgbch aj A]F&AHM 781=1; 2>>0YA]F2>>0_ gjd ^rgmtamgc ]fetpgrh Ohg}xrhohjtYOm@grrq 2>>2_*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
19/63
MOX&]HA/2>72/TJ/>>4 s 0
^cgjjaj` efr ohg}xrhohjt gc}f gddrh}}h} tlh tg}i}# }mlhdxch# gjd rh}fxrmh} ,}tgee# thmljfcf`ah}#
egmacatah}# htm*! rhwxarhd tf gmmfo~ca}l gcc ohg}xrhohjt ~rfmh}} gmtauatah}* Tla} ajmcxdh} dheajaj`
tlh ~rfmhdxrh} tlgt pacc bh x}hd efr dgtg mfcchmtafj# }tfrg`h# gjgcq}a}# gjd rh~frtaj`*
2*= ^hrefro Ohg}xrhohjt
Tlh~hrefro ohg}xrhohjtgmtauatq hjmfo~g}}h} tlh taohcq mfcchmtafj# gjgcq}a}# }tfrg`h# gjd
rh~frtaj` fe ohg}xrhohjt dgtg tf ~rfuadh dhma}afj ogihr} patl tlh ajefrogtafj ~rfdxmt} tlgt
}gta}eq tlhar ajefrogtafj jhhd}* Gjgcq}a} gjd rh~frtaj` ajmcxdh} efroxcgtaj rhmfoohjdgtafj} efr
dhma}afj ogihr} gjd ~rfuadaj` gcthrjgtauh mfxr}h} fe gmtafj bg}hd fj ohg}xrhohjt rh}xct}*
2*4 Hugcxgth Ohg}xrhohjt
Tlh hugcxgth ohg}xrhohjtgmtauatq g}}h}}h} bftl tlh ohg}xrh} tlgt grh x}hd# g} phcc g} tlh
mg~gbacatq fe tlh ohg}xrhohjt ~rfmh}} at}hce* At hj}xrh} tlgt tlh ohg}xrhohjt g~~rfgml a}
mfjtajxgccq x~dgthd tf gddrh}} tlh ajefrogtafj jhhd} fe dhma}afj ogihr} g} phcc g} tf ~rfofth gj
ajmrhg}aj` ogtxratq fe tlh ohg}xrhohjt ~rfmh}}*
Tlh wxgcatq fe ohg}xrhohjt dgtg a} ~grtamxcgrcq ao~frtgjt* ffr wxgcatq dgtg mgj chgd tf ajmfrrhmt
g}}xo~tafj} gjd bgd dhma}afj}# plaml mgj hrfdh ~hf~ch} trx}t aj tlh ohg}xrhohjt dgtg tlgt grh
mfcchmthd* G} g rh}xct# tlh wxgcatq gjd heehmtauhjh}} fe gcc ajefrogtafj ~rfdxmt} ~rfdxmhd bq tlh
ohg}xrhohjt ~rfmh}} ox}t bh hugcxgthd x}aj` ~rhdheajhd mrathrag*
Hugcxgtaj` g ohg}xrhohjt ~rfmh}} xctaogthcq chgd} tf tlh adhjtaeamgtafj fe ao~rfuhohjt} tf tlh
ohg}xrhohjt heefrt* Tlh ohg}xrhohjt ~rfmh}} ogq bh hugcxgthd aj tlh efccfpaj` efxr pgq}
Y]HOG 2>>1_;
7* Ohg}xrhohjt gjd gjgcq}a} ~cgjjaj`gj hugcxgtafj fe tlh ~cgjjaj` efr ohg}xrhohjt gt
ugrafx} chuhc} fe tlh fr`gja{gtafj dfpj tf gjd ajmcxdaj` tlh ~rfkhmt chuhc
2*Dgtg mfcchmtafj gjd }tfrg`h
gj hugcxgtafj fe tlh ~rfmh}}h}# rh}~fj}abacatah}# gjd tffc} x}hdtf mfcchmt gjd }tfrh dgtg
=* Dgtg gjgcq}a}gj hugcxgtafj fe lfp gj fr`gja{gtafj mfjdxmt} dgtg gjgcq}a} ajmcxdaj`
gjgcqtamgc ohtlfd} gjd tffc}
4* Ohg}xrhohjt gjd gjgcq}a} rh~frtaj`gj hugcxgtafj fe tlh ~rfmh}}h}# ajth`ratq# gjd
heehmtauhjh}} fe rh~frtaj` tlh rh}xct} fe ohg}xrhohjt gjd gjgcq}a}
Ao~rfuaj` tlh ohg}xrhohjt ~rfmh}} ajufcuh} g padh ugrahtq fe }fcxtafj} bg}hd fj adhjtaeahd
dheamahjmah}* Ao~rfuhohjt} mgj rgj`h erfo bxacdaj` ~rf~hr }hjafr ogjg`hohjt mfooatohjt gjd
}x~~frt efr ohg}xrhohjt tf ajmrhg}aj` tlh wxgcatq fe mfcchmthd ohg}xrhohjt dgtg* Mfoofj
~rfmh}} gad} x}hd bq thgo} aj adhjtaeqaj` ohg}xrhohjt ~rfmh}} ao~rfuhohjt} ajmcxdh tlh
A}laigpg dag`rgo
2
,ftlhrpa}h ijfpj g} tlh ea}lbfjh dag`rgo! gjd Egacxrh Ofdh} gjd Heehmt}Gjgcq}a} ,EOHG! Y]tgogta} 2>>=_* Bftl fe tlh}h thmljawxh} }trxmtxrh tlh da}mx}}afj gbfxt plgt
mgj `f prfj` gjd plq*
2 ltt~;&&hj*paia~hdag*fr`&paia&A}laigpgVdag`rgo
http://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagram8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
20/63
MOX&]HA/2>72/TJ/>>4 s 72/TJ/>>4 s 1
= Tpf G~~rfgmlh} efr Gjgcq{aj` Ra}i
Fxr rh}hgrml a} efmx}hd fj dhuhcf~aj` ra}i/bg}hd g~~rfgmlh} efr ohg}xraj` gjd gjgcq{aj` tlh
~hrefrogjmh fe ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt }q}tho} gmrf}} tlh caeh mqmch gjd }x~~cq
mlgaj* Tf exccq g~~rhmagth plgt tla} }tgthohjt ohgj}# qfx jhhd tf xjdhr}tgjd tlh ~lrg}h#
ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt }q}tho}*
G }fmaf/thmljamgc }q}tho a} dheajhd g} ajthrrhcgthd thmljamgc gjd }fmagc hchohjt} tlgt grh hj`g`hd
aj fgc/frahjthd bhlguafr* Hchohjt} fe g }fmaf/thmljamgc }q}tho ajmcxdh tlh ~hf~ch plf grh
fr`gja{hd aj thgo} fr dh~grtohjt} tf df tlhar pfri tg}i} gjd tlh thmljfcf`ah} fj plaml ~hf~ch
rhcq plhj ~hrefroaj` pfri tg}i}* rfkhmt}# ~rf`rgo}# gjd f~hrgtafjgc ~rfmh}}h} grh gcc h|go~ch}
fe }fmaf/thmljamgc }q}tho}* G }fetpgrh/rhcagjt }q}tho a} g }fmaf/thmljamgc}q}tho plf}h bhlguafr
,h*`*# exjmtafjgcatq# ~hrefrogjmh# }gehtq# }hmxratq# ajthrf~hrgbacatq# gjd }f efrtl! a} dh~hjdhjt fj
}fetpgrh aj }foh }a`jaeamgjt pgq YBhr`hq 2>>1_* Aj tlh rhogajdhr fe tla} dfmxohjt# plhj ph x}h
tlh pfrd }q}tho# ph grh rhehrraj` tf g }fetpgrh/rhcagjt }q}tho*
Ajthrgmtauh mfo~ch|atq rhehr} tf tlh ~rh}hjmh fe xj~cgjjhd gjd xjh|~hmthd }hwxhjmh} fe huhjt} aj
g }q}tho tlgt grh hatlhr jft ua}abch fr jft aoohdagthcq xjdhr}tffd Y^hrrfp 7111_* Tlh mfo~fjhjt}
aj gj ajthrgmtauhcq mfo~ch| }q}tho ajthrgmt aj rhcgtauhcq xjmfj}trgajhd pgq}* Plhj g }q}tho a}
ajthrgmtauhcq mfo~ch|# ajdh~hjdhjt egacxrh} mgj ajthrgmt patl tlh }q}tho aj pgq} tlgt mgjjft bh
gjtama~gthd bq tlh ~hf~ch plf dh}a`j gjd f~hrgth tlh }q}tho*
Ohg}xrhohjt gjd gjgcq}a} }lfxcd bh tgacfrhd tf tlh mfjth|t aj plaml at pacc bh g~~cahd* Aj fxr
rh}hgrml ~rfkhmt# ph lguh bhhj efmx}hd fj x}aj` ra}i gjgcq}a} tf darhmt tlh ohg}xrhohjt gjd
gjgcq}a} fe ajthrgmtauhcq mfo~ch| }q}tho}* Tpf da}tajmt ra}i gjgcq}a} g~~rfgmlh} mgj bh x}hd
plhj hugcxgtaj` }q}tho}; ,7! tgmtamgc ra}i gjgcq}a} gjd ,2! }q}thoam ra}i gjgcq}a}*=
=*7 Tgmtamgc Ra}i Gjgcq}a}
Ra}ia} tlh ~rfbgbacatq fe }xeehraj` lgro fr cf}}* Erfo tlh tgmtamgc ~hr}~hmtauh# ra}i a} dheajhd g}
tlh ~rfbgbacatq tlgt gj huhjt pacc chgd tf g jh`gtauh mfj}hwxhjmh fr cf}}* Tlh bg}am `fgc fe tgmtamgc
ra}i gjgcq}a} a} tf hugcxgth g }q}tho} mfo~fjhjt} efr ~fthjtagc egacxrh}* Tgmtamgc ra}i gjgcq}a} a}
bg}hd fj tlh ~rajma~ch fe }q}tho dhmfo~f}atafj gjd mfo~fjhjt gjgcq}a}* Tlh ear}t }th~ fe tla}
g~~rfgml a} tf dhmfo~f}h g }q}tho ajtf at} mfj}tatxhjt mfo~fjhjt}* Tlh ajdauadxgc mfo~fjhjt}
grh tlhj ~rafrata{hd# gjd g }xb}ht fe mfo~fjhjt} a} dh}a`jgthd g} bhaj` mratamgc* Jh|t# tlh ra}i} tf
hgml mratamgc mfo~fjhjt grh gjgcq{hd*
Tgmtamgc ra}i gjgcq}a} hjgbch} }tgihlfcdhr} tf ,7! dhthroajh plaml mfo~fjhjt} grh of}t mratamgc tf
g }q}tho gjd ,2! gjgcq{h pgq} aj plaml tlf}h mratamgc mfo~fjhjt} oa`lt egac ,a*h*# gjgcq{h tlh ra}itf mratamgc mfo~fjhjt}!* ]tgihlfcdhr} mgj tlhj ao~chohjt heehmtauh mfjtrfc} dh}a`jhd tf oata`gth
tlf}h ~fthjtagc egacxrh}* Bhmgx}h fe at} efmx} fj ~rhuhjtaj` ~fthjtagc egacxrh}# tgmtamgc ra}i gjgcq}a}
lg} bhhj g~~cahd h|thj}auhcq patlaj tlh da}ma~cajh fe }q}tho} hj`ajhhraj`* Lfphuhr# gjgcq}t} jhhd
=Tlh da}mx}}afj fe tgmtamgc gjd }q}thoam ra}i gjgcq}a} a} gdg~thd erfo G Jhp Gmmadhjt Ofdhc efr Hj`ajhhraj`]gehr ]q}tho} YChuh}fj 2>>4_*
http://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagram8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
22/63
MOX&]HA/2>72/TJ/>>4 s 7>
tf xjdhr}tgjd tlh caoatgtafj} fe x}aj` tgmtamgc ra}i gjgcq}a} tf hugcxgth ajthrgmtauhcq mfo~ch|
}q}tho}# plaml ajmcxdh tlh efccfpaj`;
Fjcq mratamgc mfo~fjhjt} grh gjgcq{hd* Jfj/mratamgc mfo~fjhjt} grh jft h|goajhd# gjd
ajthrdh~hjdhjmah} gofj` mfo~fjhjt} grh jft gddrh}}hd*
Tlh }hchmtafj fe plaml mfjdatafj} gjd huhjt} ,a*h*# }fxrmh} fr mgx}h} fe ra}i! tf mfj}adhr a}
}xbkhmtauh*
Jfj/cajhgr rhcgtafj}la~} gofj` mfjdatafj} gjd huhjt} ,h*`*# ehhdbgmi! grh jft mfj}adhrhd*
Ra}i mgx}gc rhcgtafj}la~} grh ~rh}xohd tf bh }ao~ch# darhmt# gjd cajhgr*
Huhjt} tlgt ~rfdxmh h|trhoh fr mgtg}trf~lam mfj}hwxhjmh} grh daeeamxct tf ~rhdamt bhmgx}h
tlhq mgj bh tra``hrhd bq tlh mfjtho~frgjhfx} fmmxrrhjmh} fe oxcta~ch huhjt}# mg}mgdaj`
mfj}hwxhjmh}# gjd hohr`hjt }q}tho bhlguafr}*
Mfjeadhjmh aj tlh ~hrefrogjmh fe ajdauadxgc mfo~fjhjt} dfh} jft h}tgbca}l mfjeadhjmh aj
tlh ~hrefrogjmh fe tlh ~grhjt }q}tho*
Aj gddatafj# plhj qfx gttho~t tf dhmfo~f}h ajthrgmtauhcq mfo~ch| }q}tho}# }foh }q}tho/padh
bhlguafr} bhmfoh cf}t* At a} uhrq daeeamxct tf h}tgbca}l tlh rhcgtafj}la~ bhtphhj tlh ogmrf/chuhcbhlguafr fe tlh }q}tho gjd tlh oamrf/chuhc bhlguafr fe ajdauadxgc mfo~fjhjt}* G} g rh}xct#
tgmtamgc ra}i gjgcq}a} ~rfuadh} g ~grtagc ~amtxrh fe tlh ra}i} tf gj ajthrgmtauhcq mfo~ch| }q}tho* Tf
`ht g ofrh lfca}tam uahp fe ra}i aj gj ajthrgmtauhcq mfo~ch| }q}tho# qfx jhhd tf ho~cfq gj
gcthrjgtauh gjgcq}a} g~~rfgml*
=*2 ]q}thoam Ra}i Gjgcq}a}
Erfo tlh }q}thoam ~hr}~hmtauh# ra}i a} dheajhd g} tlh ~rfbgbacatq fe oa}}afj egacxrh ,a*h*# jft
gmlahuaj` ihq fbkhmtauh}!* ]q}thoam ra}i# gc}f rhehrrhd tf g} oa}}afj ra}i aj tla} dfmxohjt#
h|goajh} tlh g``rh`gth heehmt} fe oxcta~ch mfjdatafj} gjd huhjt} fj g }q}tho} gbacatq tf gmlahuh
at} oa}}afj* ]q}thoam ra}i gjgcq}a} a} bg}hd fj }q}tho tlhfrq* Tlh xjdhrcqaj` ~rajma~ch fe }q}tho
tlhfrq a} tf gjgcq{h g }q}tho g} g plfch rgtlhr tlgj dhmfo~f}aj` at ajtf ajdauadxgc mfo~fjhjt}
gjd tlhj gjgcq{aj` hgml mfo~fjhjt }h~grgthcq YChuh}fj 2>>4_* Aj egmt# }foh ~rf~hrtah} fe g
}q}tho grh bh}t gjgcq{hd bq mfj}adhraj` tlh hjtarh }q}tho# ajmcxdaj`
ajecxhjmh} fe hjuarfjohjtgc egmtfr}
ehhdbgmi gjd jfjcajhgratq gofj` mgx}gc egmtfr}
}q}thoam mgx}h} fe egacxrh ,g} f~~f}hd tf ~rf|aogth mgx}h}!
hohr`hjt ~rf~hrtah}
]q}thoam ra}i gjgcq}a} tlx} ~rfuadh} g lfca}tam uahp fe tlh ra}i tf gj ajthrgmtauhcq mfo~ch| }fmaf/
thmljamgc }q}tho* Tlh ear}t }th~ aj tla} tq~h fe ra}i gjgcq}a} a} tf h}tgbca}l tlh fbkhmtauh} tlgt ox}t
bh gmlahuhd* Tlh fbkhmtauh} dheajh tlh dh}arhd fxtmfoh# fr ~amtxrh fe }xmmh}}# efr g }q}tho*
Jh|t# }q}thoam egmtfr} tlgt lguh g }trfj` ajecxhjmh fj tlh fxtmfoh ,a*h*# plhtlhr fr jft tlh
fbkhmtauh} pacc bh gmlahuhd! grh adhjtaeahd* Tlh}h }q}thoam egmtfr}# mgcchd drauhr} aj tla} rh~frt# grh
ao~frtgjt bhmgx}h tlhq dheajh g }ogcc }ht fe egmtfr} tlgt mgj bh x}hd tf g}}h}} g }q}tho}
~hrefrogjmh gjd `gx`h plhtlhr at a} fj trgmi tf gmlahuh at} ihq fbkhmtauh}* Tlh drauhr} grh tlhj
gjgcq{hd# plaml hjgbch} dhma}afj ogihr} tf `gx`h tlh fuhrgcc ra}i tf tlh }q}tho} oa}}afj*
http://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagram8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
23/63
MOX&]HA/2>72/TJ/>>4 s 77
G~~cqaj` }q}thoam ra}i gjgcq}a} tf ajthrgmtauhcq mfo~ch| }q}tho} ~rfuadh} dhma}afj ogihr} patl g
ohgj} fe mfjeadhjtcq g}}h}}aj` tlh bhlguafr fe tlh }q}tho g} g plfch# plaml a} jhmh}}grq plhj
g}}h}}aj` g}}xrgjmh* Tlh jh|t }hmtafj fe tla} rh~frt bxacd} fj tlh mfjmh~t} fxtcajhd aj tla} }hmtafj
bq dh}mrabaj` g ohtlfd efr gjgcq{aj` }q}thoam ra}i aj ajthrgmtauhcq mfo~ch| }q}tho}*
http://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagramhttp://en.wikipedia.org/wiki/Ishikawa_diagram8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
24/63
MOX&]HA/2>72/TJ/>>4 s 72
4 Oa}}afj Ra}i Dag`jf}tam ,ORD!4
Tlh ]HA a} dhuhcf~aj` tlh Oa}}afj Ra}i Dag`jf}tam ,ORD! tf hjgbch }q}thoam ra}i gjgcq}a} fe
ajthrgmtauhcq mfo~ch| }q}tho}* Dxraj` fxr rh}hgrml gjd dhuhcf~ohjt gmtauatah} fuhr tlh ~g}t ehp
qhgr}# ph dhofj}trgthd lfp tlh ORD ~rfuadh} gj heeamahjt gjd heehmtauh ohgj} fe gjgcq{aj` ra}i
aj ajthrgmtauhcq mfo~ch| }q}tho}# }xml g} gmwxa}atafj ~rf`rgo} YGcbhrt} 2>>1# Dfrfehh 2>>>1_* Tlh efccfpaj
4Oxml fe tlh ogthragc aj tla} }hmtafj a} gdg~thd erfo G Ergohpfri efr Mgth`fra{aj` Ihq Drauhr} fe Ra}iYGcbhrt}2>>1_*
8Tlh ORD bxacd} fee fe gjd h|~gjd} fj tlh pfri fe tlh ]HA Oa}}afj ]xmmh}} aj Mfo~ch| Hjuarfjohjt} ,O]MH!
]~hmagc rfkhmt* Efr ofrh ajefrogtafj fj O]MH# }hh ltt~;&&ppp*}ha*mox*hdx&ra}i&*5
Aj tla} dfmxohjt# tlh thro ~rfkhmta} dheajhd g} g ~cgjjhd }ht fe ajthrrhcgthd tg}i} tf bh h|hmxthd fuhr g ea|hd~hrafd fe taoh gjd patlaj mhrtgaj mf}t gjd ftlhr caoatgtafj}*
0Aj tla} dfmxohjt# tlh thro ~rf`rgoa} dheajhd g} g `rfx~ fe rhcgthd ~rfkhmt} ogjg`hd aj g mffrdajgthd pgq tffbtgaj bhjheat} gjd mfjtrfc jft gugacgbch erfo ogjg`aj` tlho ajdauadxgccq* rf`rgo} x}xgccq ajmcxdh gj hchohjtfe fj`faj` gmtauatq*
72/TJ/>>4 s 7=
a} gj h|go~ch fe g oa}}afj }tgthohjt g} rhwxarhd bq tlh ORD; Tlh \Q[ ^rf`rgo a} ~rfuadaj` g
jhp# phb/bg}hd ~gqrfcc }q}tho efr fxr fr`gja{gtafj*
Tlh oa}}afj }tgthohjt a} ao~frtgjt bhmgx}h at dheajh} tlh tgr`ht# fr efmx}# fe tlh gjgcq}a} heefrt*
Gethr tlh bg}am tgr`ht lg} bhhj h}tgbca}lhd# tlh jh|t }th~ a} tf adhjtaeq plaml }~hmaeam g}~hmt} fe
tlh oa}}afj jhhd tf bh gjgcq{hd aj dhtgac*
4*7*2 Fbkhmtauh}
Aj tlh ORD# gj fbkhmtauh a} dheajhd g} g tgj`abch fxtmfoh fr rh}xct tlgt ox}t bh gmlahuhd plhj
~xr}xaj` g oa}}afj YGcbhrt} 2>>1_* Hgml oa}}afj tq~amgccq mfo~ra}h} oxcta~ch fbkhmtauh}* Tlh
`fgc fe tlh }hmfjd }th~ fe drauhr adhjtaeamgtafj a} tf dhthroajh plaml fe tlf}h fbkhmtauh} pacc bh
g}}h}}hd* ]hchmtaj` fbkhmtauh} rheajh} tlh }mf~h fe tlh g}}h}}ohjt tf gddrh}} }~hmaeam g}~hmt} fe
tlh oa}}afj tlgt grh ao~frtgjt tf dhma}afj ogihr}* Aj hjhrgc# fbkhmtauh} adhjtaeahd dxraj` tlh
ORD }lfxcd ohht tlh efccfpaj` mrathrag;
}~hmaeamTlh fbkhmtauh a} mfjmrhth# dhtgachd# efmx}hd# gjd phcc dheajhd* At ho~lg}a{h} gmtafj
gjd }tgth} g }~hmaeam fxtmfoh tf bh gmmfo~ca}lhd*
ohg}xrgbchTlh fbkhmtauh mgj bh ohg}xrhd# gjd tlh ohg}xrhohjt }fxrmh a} adhjtaeahd*
gmlahugbchTlh h|~hmtgtafj fe plgt pacc bh gmmfo~ca}lhd a} gttgajgbch auhj tlh taoh
~hrafd# rh}fxrmh} gugacgbch# gjd }f fj*
rhchugjtTlh fxtmfoh fr rh}xct hobfdahd aj tlh fbkhmtauh }x~~frt} tlh brfgdhr oa}}afj
bhaj` ~xr}xhd*
taoh/bfxjdTlh taohergoh aj plaml tlh fbkhmtauh pacc bh gmlahuhd a} }~hmaeahd*
Dxraj` drauhr adhjtaeamgtafj# gjgcq}t} ox}t }hchmt fjh fr ofrh fbkhmtauh} tlgt pacc bh gjgcq{hd*
Tlh jxobhr fe fbkhmtauh} dh~hjd} fj tlh brhgdtl gjd jgtxrh fe tlh a}}xh} bhaj` ajuh}ta`gthd* Tlh
efccfpaj` a} gj h|go~ch fe g hjhram fbkhmtauh efr dhthroajaj` plhtlhr gj gmwxa}atafj ~rf`rgo a}
gdhwxgthcq gddrh}}aj` }fetpgrh }hmxratq; Plhj tlh }q}tho a} dh~cfqhd# }hmxratq ra}i} tf tlhdh~cfqhd }q}tho pacc bh patlaj gj gmmh~tgbch tfchrgjmh*
1Tla} h|go~ch a} egarcq gb}trgmt9
gddatafjgc dhtgac} ox}t bh gddhd tf tlh fbkhmtauh tf ohht tlh mrathrag ca}thd gbfuh* Efr h|go~ch# tlh
fbkhmtauh mfxcd bh gx`ohjthd tf gddrh}}
plaml }q}tho a} bhaj` dh~cfqhd
plhj tlgt }q}tho a} h|~hmthd tf bh dh~cfqhd
lfp ra}i pacc bh ohg}xrhd
lfp gmmh~tgbch tfchrgjmh a} dheajhd efr tlh ~rf`rgo
Tlh ]HA} eahcd h|~hrahjmh }lfp} tlgt ogjq dhma}afj ogihr} ,h*`*# gmwxa}atafj ~rf`rgo ogjg`hr}!
lguh daeeamxctq mfj}trxmtaj` fbkhmtauh} tlgt ohht tlh gbfuh mrathrag efr fbkhmtauh}* Plach dhma}afjogihr} lguh g tgmat xjdhr}tgjdaj` fe tlhar fbkhmtauh}# tlhq fethj mgjjft ~rhma}hcq grtamxcgth fr
1Tla} fbkhmtauh a} efmx}hd fj plhtlhr tlh tgmtamgc }hmxratq ra}i} geehmtaj` g dh~cfqhd# f~hrgtafjgc }q}tho pacc bhpatlaj gj gmmh~tgbch tfchrgjmh* Tgmtamgc ra}i gjgcq}a} a} mfoofjcq x}hd tf oata`gth f~hrgtafjgc }hmxratq ra}i}plhj gmwxaraj`# hj`ajhhraj`# gjd dhuhcf~aj` g thmljfcf`q* Aj tla} }hmtafj# tlh ORD a} bhaj` x}hd tf ~rhdamtplhtlhr fr jft tlh tgmtamgc }hmxratq ra}i} fe g dh~cfqhd# f~hrgtafjgc }q}tho pacc bh patlaj gj gmmh~tgbchtfchrgjmh* Lhrh# g }q}thoam ra}i gjgcq}a} g~~rfgml ,tlh ORD! a} bhaj` x}hd hgrcq aj tlh caeh mqmch ,dxraj`dhuhcf~ohjt! tf ~rhdamt tlh rh}xct} fe g tgmtamgc ra}i gjgcq}a} tlgt pacc bh ~hrefrohd cgthr aj tlh caeh mqmch ,dxraj`f~hrgtafj}!* Efr ofrh ajefrogtafj fj tgmtamgc gjd }q}thoam ra}i gjgcq}a}# }hh ]hmtafj = fe tla} dfmxohjt*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
26/63
MOX&]HA/2>72/TJ/>>4 s 74
h|~rh}} tlh fbkhmtauh} aj g pgq tlgt gddrh}}h} tlh mrathrag* Ae tlh ~rf`rgo} fbkhmtauh} grh jft
mchgrcq grtamxcgthd# dhma}afj ogihr} mgj lguh trfxbch g}}h}}aj` plhtlhr tlh ~rf`rgo a} fj trgmi efr
}xmmh}}* Tf gddrh}} tla} a}}xh# wxgcatgtauh ao~chohjtgtafj} fe tlh ORD gccfp efr ao~rhma}h
h|~rh}}afj} fe fbkhmtauh}* ]~hmaeam ajefrogtafj gbfxt fbkhmtauh} tlgt a} tgmatcq xjdhr}tffd bq
~rf`rgo ogjg`hr} gjd }tgee bhmfoh} ofrh h|~camat dxraj` h|hmxtafj fe tlh ORD* Tlh rhogajdhr
fe tla} }hmtafj dh}mrabh} g wxgcatgtauh ao~chohjtgtafj fe tlh ORD* Ph grh gc}f pfriaj` fjwxgjtatgtauh ao~chohjtgtafj fe tlh ORD# plaml ph ajthjd tf ~rh}hjt aj ftlhr rh~frt}*
7>
4*7*= Drauhr}
Tlh ORD dheajh} g drauhrg} g egmtfr tlgt lg} g }trfj` ajecxhjmh fj tlh huhjtxgc fxtmfoh fr rh}xct
,a*h*# plhtlhr fr jft fbkhmtauh} pacc bh gmlahuhd! YGcbhrt} 2>>1_* Tgbch 7 la`lca`lt} tlrhh ihq
gttrabxth} fe g drauhr; jgoh# }xmmh}} }tgth# gjdegacxrh }tgth * Tlh h|go~ch drauhr aj tlh tgbch a}
jgohd ]hmxratq rfmh}}# gjd at h|goajh} lfp tlh ~rf`rgo} ~rfmh}}h} grh geehmtaj` gmlahuhohjt
fe tlh }fetpgrh }hmxratq fbkhmtauh* Tgbch 7 gc}f ajdamgth} tlgt hgml drauhr lg} tpf ~f}}abch }tgth}; g
}xmmh}} }tgth gjd g egacxrh }tgth* Tlh }xmmh}} }tgth ohgj} tlgt tlh ~rf`rgo} ~rfmh}}h} ajmfr~frgth
}hmxratq mfj}adhrgtafj} gdhwxgthcq# plaml lhc~} hjgbch tlh gmlahuhohjt fe tlh fbkhmtauh}* Aj
mfjtrg}t# tlh egacxrh }tgth }a`jaeah} tlgt tlh ~rf`rgo} ~rfmh}}h} df jftgdhwxgthcq ajmfr~frgth}hmxratq mfj}adhrgtafj} gjd# g} g rh}xct# tlh fbkhmtauh} pacc jft bh gmlahuhd*
Tgbch 7; Drauhr ]tgth}
Gttrabxth Dh}mra~tafj H|go~ch
Jgoh G mfjma}h cgbhc tlgt dh}mrabh} tlh
bg}am jgtxrh fe tlh drauhr*
]hmxratq ~rfmh}}
]xmmh}} }tgth G drauhr h|hrt} g ~f}atauh ajecxhjmh fj
tlh fxtmfoh*
Tlh ~rfmh}} bhaj` x}hd tf dhuhcf~ gjd dh~cfq tlh
}q}tho }xeeamahjtcq ajmfr~frgth} }hmxratq*
Egacxrh }tgth G drauhr h|hrt} g jh`gtauh ajecxhjmh fj
tlh fxtmfoh*
Tlh ~rfmh}} bhaj` x}hd tf dhuhcf~ gjd dh~cfq tlh
}q}tho dfh} jft }xeeamahjtcq ajmfr~frgth }hmxratq*
Gjgcq}a} fe g drauhr rhwxarh} dhthroajaj` lfp at a} mxrrhjtcq gmtaj` ,a*h*# at} mxrrhjt }tgth! bq
h|goajaj` tlh heehmt} fe mfjdatafj} gjd ~fthjtagc huhjt} fj tlgt drauhr* Tlh `fgc a} tf dhthroajh ae
tlh drauhr a}
gcof}t mhrtgajcq aj at} }xmmh}} }tgth
of}t caihcq aj at} }xmmh}} }tgth
hwxgccq caihcq tf bh aj at} }xmmh}} fr egacxrh }tgth}
of}t caihcq aj at} egacxrh }tgth
gcof}t mhrtgajcq aj at} egacxrh }tgth
Tlh gbfuh ca}t mgj bh x}hd dheajh g wxgcatgtauh }mgch efr drauhr gjgcq}a}* Gjgcq{aj` hgml drauhr aj
rhcgtafj tf tlh wxgcatgtauh }mgch h}tgbca}lh} g bhjmlogri fe ~hrefrogjmh aj rhcgtafj tf g }q}tho}
dfmxohjthd oa}}afj gjd fbkhmtauh}*
7>Gt tla} ~fajt aj taoh# ph df jft lguh g `ffd xjdhr}tgjdaj` fe tlh rhcgtauh ugcxh} fe x}aj` wxgcatgtauh gjdwxgjtatgtauh ao~chohjtgtafj} fe tlh ORD* G fgc fe fxr rh}hgrml a} tf ~rfuadh xadgjmh gbfxt tlh bhjheat} fex}aj` hgml ao~chohjtgtafj*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
27/63
MOX&]HA/2>72/TJ/>>4 s 78
4*7*4 Dhrauaj` g ]ht fe Drauhr}
Tlh }tgrtaj` ~fajt efr adhjtaeqaj` g }ht fe drauhr} a} tf grtamxcgth tlh oa}}afj gjd fbkhmtauh} tlgt grh
bhaj` g}}h}}hd* Gjgcq}t} mgj tlhj dhrauh g }ht fe drauhr} erfo tlho* Tlh rhcgtafj}la~} gofj`
oa}}afj# fbkhmtauh}# gjd drauhr} grh dh~amthd aj Ea`xrh =* Plhj dhgcaj` patl oxcta~ch fbkhmtauh}#
gjgcq}t} ox}t bh }xrh tf rhmfrd tlh}h rhcgtafj}la~} tf hjgbch heehmtauh dhma}afj ogiaj`*
Ea`xrh =; Rhcgtafj}la~} gofj` Fbkhmtauh} gjd Drauhr}
Dhrauaj` g xjawxh }ht fe drauhr} bg}hd fj tlh ~rf`rgo} oa}}afj gjd fbkhmtauh} rhwxarh} `gtlhraj`
ajefrogtafj erfo ~hf~ch patl h|~hrahjmh gjd h|~hrta}h rhchugjt tf tlh }~hmaeahd oa}}afj gjd
fbkhmtauh}* Efr h|go~ch# adhjtaeqaj` g }ht fe drauhr} efr }fetpgrh dhuhcf~ohjt fbkhmtauh} rhwxarh}
aj~xt erfo gmwxa}atafj ~rf`rgo} ogjg`hr} gjd }fetpgrh/rhcagjt }q}tho} dhuhcf~hr}* ]aoacgrcq#
gjgcq}t} }hhiaj` tf adhjtaeq g }ht fe drauhr} efr }fetpgrh }hmxratq pfxcd mfj}xct patl }hmxratq
h|~hrt}*
Tlh h|~hrt} erfo plfo ajefrogtafj a} hcamathd }lfxcd bh egoacagr patl tlh fbkhmtauh} tlgt lguh
bhhj dheajhd* Gjgcq}t} mgj x}h tlh fbkhmtauh} tf efmx} ajthruahp} fr da}mx}}afj} patl h|~hrt}*
Dxraj` ajthruahp} fr da}mx}}afj}# h|~hrt} gj}phr tlh efccfpaj` wxh}tafj};
Plgt marmxo}tgjmh}# mfjdatafj}# gjd huhjt} pacc drauh qfxr ~rf`rgo tfpgrd g }xmmh}}exc
fxtmfoh6
Plgt marmxo}tgjmh}# mfjdatafj}# gjd huhjt} pacc drauh qfxr ~rf`rgo tfpgrd gegachdfxtmfoh6
Gethr tlhq fbtgaj ajefrogtafj erfo tlh h|~hrt}# gjgcq}t} fr`gja{h tlh ajefrogtafj ajtf
g~~rf|aogthcq 7>28 `rfx~} tlgt }lgrh tlh drauhr g} tlh mhjtrgc adhg fr tlhoh fe hgml `rfx~* ]HA
}tgee lg} ho~cfqhd tla} g~~rfgml efr adhjtaeqaj` drauhr} aj g ugrahtq fe grhg}# ajmcxdaj` }fetpgrh
gmwxa}atafj gjd dhuhcf~ohjt ~rf`rgo}# mqbhr }hmxratq ~rfmh}}h}# gjd bx}ajh}} ~frtefcaf
ogjg`hohjt YGcbhrt} 2>>1_* Tlh of}t rhmhjt efmx} lg} bhhj fj h}tgbca}laj` drauhr} efr }fetpgrh
}hmxratq* Tlh jh|t }hmtafj ~rh}hjt} g }ht fe }fetpgrh }hmxratq drauhr} tlgt lguh bhhj dhuhcf~hd bq
]HA rh}hgrmlhr}*
4*7*8 G ]tgjdgrd ]ht fe Drauhr} efr ]fetpgrh ]hmxratq
Tlh ]HA lg} g~~cahd drauhr adhjtaeamgtafj tf }fetpgrh }hmxratq* G} g rh}xct# g }tgjdgrd }ht fe 70
drauhr} efr }fetpgrh }hmxratq lg} bhhj adhjtaeahd gjd dfmxohjthd* ,Ofrh dhtgac} gbfxt tlh 70
drauhr} mgj bh efxjd aj tlh g~~hjda| }hmtafj fe tla} rh~frt*! Tgbch 2 ca}t} tlh jgoh fe hgml
}fetpgrh }hmxratq drauhr gcfj` patl g wxh}tafj tlgt a} x}hd plhj gjgcq{aj` tlgt drauhr} }tgth*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
28/63
MOX&]HA/2>72/TJ/>>4 s 75
Tlh}h }tgjdgrd drauhr} phrh dhrauhd erfo tlh }fetpgrh }hmxratq fbkhmtauh la`lca`lthd aj ]hmtafj
4*7*2 gjd lguh jft bhhj ugcadgthd aj ~acft g}}h}}ohjt}*77
Tlh jh|t }th~ aj tlh dhuhcf~ohjt fe tlh
}fetpgrh }hmxratq drauhr} a} tf ugcadgth tlho tlrfx`l eahcd th}taj`* Fjmh g }ht fe drauhr} a}
ugcadgthd# at }hruh} g} gj grmlhtq~h tlgt gjgcq}t} mgj wxamicq tgacfr gjd g~~cq tf }~hmaeam ~rf`rgo}*
Tgbch 2; ^rftftq~h ]ht fe Drauhr Wxh}tafj} efr ]fetpgrh ]hmxratq
Drauhr Jgoh Drauhr Wxh}tafj
7* ^rf`rgo ]hmxratq
Fbkhmtauh}
Grh tlh ~rf`rgo} }hmxratq fbkhmtauh} rhgca}tam gjd gmlahugbch6
2* ]hmxratq cgj Dfh} tlh ~cgj efr dhuhcf~aj` gjd dh~cfqaj` tlh }q}tho }xeeamahjtcq gddrh}}
}hmxratq6
=* Mfjtrgmt} Df mfjtrgmt ohmlgja}o} patl ~grtjhr}# mfccgbfrgtfr}# }xbmfjtrgmtfr}# gjd
}x~~cahr} }xeeamahjtcq gddrh}} }hmxratq6
4* ]hmxratq rfmh}} Dfh} tlh ~rfmh}} bhaj` x}hd tf dhuhcf~ gjd dh~cfq tlh }q}tho }xeeamahjtcq
ajmfr~frgth }hmxratq6
8* ]hmxratq Tg}i H|hmxtafj Grh }hmxratq/rhcgthd tg}i} gjd gmtauatah} ~hrefrohd heehmtauhcq gjd heeamahjtcq6
5* ]hmxratq Mffrdajgtafj Grh }hmxratq gmtauatah} patlaj tlh ~rf`rgo mffrdajgthd g~~rf~ragthcq6
0* H|thrjgc Ajthregmh} Df pfri ~rfdxmt} erfo ~grtjhr}# mfccgbfrgtfr}# }xbmfjtrgmtfr}# fr }x~~cahr}
ohht }hmxratq rhwxarhohjt}6
* ]hmxratq Rhwxarhohjt} Df rhwxarhohjt} }xeeamahjtcq gddrh}} }hmxratq6
77* ]hmxratq Grmlathmtxrh gjd
Dh}a`j
Df tlh grmlathmtxrh gjd dh}a`j }xeeamahjtcq gddrh}} }hmxratq6
72* Mfdh ]hmxratq A} tlh mfdh }xeeamahjtcq }hmxrh6
7=* Ajth`rgthd ]q}tho ]hmxratq Dfh} tlh ajth`rgthd }q}tho }xeeamahjtcq gddrh}} }hmxratq6
74* Gdf~tafj Bgrrahr} Lguh bgrrahr} tf mx}tfohr&x}hr gdf~tafj fe tlh }q}tho} }hmxratq ehgtxrh} bhhj
ogjg`hd g~~rf~ragthcq6
78* F~hrgtafjgc ]hmxratqMfo~cagjmh
Pacc tlh }q}tho mfo~cq patl g~~camgbch }hmxratq ~fcamah}# cgp}# gjd rh`xcgtafj}6
75* F~hrgtafjgc ]hmxratq
^rh~grhdjh}}
Grh ~hf~ch ~rh~grhd tf ogajtgaj tlh }q}tho} }hmxratq fuhr taoh6
70* ^rfdxmt ]hmxratq Ra}i
Ogjg`hohjt
A} tlh g~~rfgml efr ogjg`aj` ~rfdxmt }hmxratq ra}i }xeeamahjt6
Tlh drauhr} aj Tgbch 2 mgj bh dauadhd ajtf tpf exjdgohjtgc tq~h}; ~rf`rgoogtam drauhr} gjd
~rfdxmt drauhr}* Drauhr} 71 grh rhehrrhd tf g}~rf`rgoogtam drauhr} bhmgx}h tlhq ~rfuadh aj}a`lt
ajtf lfp phcc g }q}tho ,h*`* gj gmwxa}atafj ~rf`rgo! a} bhaj` ogjg`hd* Drauhr} 7>/70 grh rhehrrhd
tf g}~rfdxmtdrauhr} bhmgx}h tlhq ~rfuadh aj}a`lt ajtf tlh ~rfdxmt tlgt a} bhaj` gmwxarhd#
dhuhcf~hd# gjd dh~cfqhd*
4*7*5 Tgacfraj` gj H|a}taj` ]ht fe Drauhr}
Tlh }tgjdgrd drauhr} ,Tgbch 2! dh}mrabh hjhrgc }hmxratq mfjmhrj} tlgt gjgcq}t} }lfxcd mfj}adhr
plhj g}}h}}aj` tlh }hmxratq mlgrgmthra}tam} fe }fetpgrh ~rfdxmt} bhaj` dhuhcf~hd gjd dh~cfqhd bq
77Tlh }tgjdgrd }ht fe }fetpgrh }hmxratq drauhr} phrh dhrauhd erfo tlh efccfpaj` fbkhmtauh; Plhj tlh }q}tho a}dh~cfqhd# }hmxratq ra}i} tf tlh dh~cfqhd }q}tho pacc bh patlaj gj gmmh~tgbch tfchrgjmh*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
29/63
MOX&]HA/2>72/TJ/>>4 s 70
gmwxa}atafj ~rf`rgo}* Lfphuhr# tlh }tgjdgrd }ht ox}t bh tf tgacfrhd tf tlh rhwxarhohjt} fe g
}~hmaeam gmwxa}atafj ~rf`rgo tf hj}xrh tlgt tlh
}ht fe drauhr} gmmxrgthcq rhechmt} tlh ihq fbkhmtauh} fe tlh }~hmaeam ~rf`rgo bhaj` g}}h}}hd
}ht fe drauhr} a} gdkx}thd g~~rf~ragthcq bg}hd fj tlh ~rf`rgo} mfjth|t gjd mlgrgmthra}tam}
~lrg}aj` fe hgml drauhr a} mfj}a}thjt patl tlh ~rf`rgo} throajfcf`q
Tlh ear}t }th~ plhj tgacfraj` gj h|a}taj` }ht fe drauhr} a} tf mchgrcq grtamxcgth tlh ~rf`rgo}
fbkhmtauh}* Aj gddatafj# bgmi`rfxjd ajefrogtafj gbfxt tlh ~rf`rgo a} rhwxarhd tf xjdhr}tgjd plgt
tlh ~rf`rgo a} trqaj` tf gmmfo~ca}l gjd tf `gaj gj g~~rhmagtafj efr at} xjawxh mfjth|t gjd
mlgrgmthra}tam}*
Gethr gjgcq}t} `gaj g bg}am xjdhr}tgjdaj` fe tlh ~rf`rgo} mfjth|t# tlhq mgj tlhj bh`aj tf tgacfr
tlh drauhr}* Bg}hd fj tlh fbkhmtauh} bhaj` g}}h}}hd gjd tlh dgtg tlgt lg} bhhj `gtlhrhd# gjgcq}t}
ox}t mfo~chth tlh efccfpaj` }th~};
7* Dhthroajh plaml drauhr} df jft g~~cq tf tlh ~rf`rgo* Hcaoajgth h|trgjhfx} drauhr} erfo tlh
}ht*
2* H}tgbca}l plhtlhr gjq drauhr} grh oa}}aj` erfo tlh ca}t* Gdd tlf}h drauhr} tf tlh }ht*
=* Dhmadh ae oxcta~ch drauhr} erfo tlh }ht }lfxcd bh mfobajhd ajtf g }aj`ch# la`l/chuhc drauhr*
Rh~cgmh tlf}h drauhr} patl g }aj`ch drauhr tlgt mfobajh} tlho*
4* Dhmadh ae gjq drauhr} }lfxcd bh dhmfo~f}hd ajtf oxcta~ch# ofrh dhtgachd drauhr}*
Dhmfo~f}h hgml fe tlf}h drauhr} ajtf oxcta~ch drauhr}*
8* Gdkx}t tlh pfrdaj` fe hgml drauhr tf bh mfj}a}thjt patl tlh throajfcf`q gjd cgj`xg`h fe tlh
~rf`rgo tlgt a} bhaj` g}}h}}hd*
Gt tla} ~fajt# tlh tgacfrhd }ht fe drauhr} mgj bh x}hd tf g}}h}} tlh ~rf`rgo} mxrrhjt }tgth bq
mfjdxmtaj` drauhr gjgcq}a}*
4*2 Drauhr Gjgcq}a}
Tlh `fgc fe drauhr gjgcq}a} a} tf dhthroajh lfp hgml drauhr a} ajecxhjmaj` tlh fbkhmtauh}* Ofrh
}~hmaeamgccq# tlh ~rfbgbacatq fe }xmmh}} }tgth fr egacxrh }tgth efr hgml drauhr ox}t bh h}tgbca}lhd*
Jftamh tlgt hgml drauhr wxh}tafj aj Tgbch 2 a} h|~rh}}hd g} g qh}&jf wxh}tafj tlgt a} ~lrg}hd erfo
tlh }xmmh}} ~hr}~hmtauh* Ea`xrh 4 dh~amt} g drauhr wxh}tafj efr tlh ]hmxratq ^rfmh}} drauhr* Tla}
h|go~ch pacc bh x}hd tlrfx`lfxt tla} }hmtafj plhj da}mx}}aj` drauhr gjgcq}a}*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
30/63
MOX&]HA/2>72/TJ/>>4 s 772/TJ/>>4 s 71
Ea`xrh 8; Drauhr Ugcxh Mrathrag
Plhj tlhq gjgcq{h g drauhr# gjgcq}t} jhhd tf mfj}adhr lfp mfjdatafj} gjd ~fthjtagc huhjt}72
geehmt
tlgt drauhr* Aj `hjhrgc# tlh efccfpaj` atho} }lfxcd bh mfj}adhrhd efr hgml drauhr tlgt a} gjgcq{hd;
~f}atauh mfjdatafj} tlgt }x~~frt g rh}~fj}h feqh}
jh`gtauh mfjdatafj} tlgt }x~~frt g rh}~fj}h fejf
~fthjtagc huhjt} patl ~f}atauh mfj}hwxhjmh} tlgt }x~~frt g rh}~fj}h feqh}
~fthjtagc huhjt} patl jh`gtauh mfj}hwxhjmh} tlgt }x~~frt g rh}~fj}h fejf
xjijfpj egmtfr} tlgt mfjtrabxth tf xjmhrtgajtq rh`grdaj` tlh rh}~fj}h
g}}xo~tafj} tlgt oa`lt bag} tlh rh}~fj}h
Ea`xrh 5 }lfp} gj h|go~ch fe gj gjgcq{hd drauhr* Tlh gj}phr tf tlh drauhr wxh}tafj a} caihcq jf#
plaml ohgj} tlgt tlh drauhr a} of}t caihcq aj at} egacxrh }tgth* G} g rh}xct# tlh ~rf`rgo} ~rfmh}}h}
efr }hmxratq grh of}t caihcq aj}xeeamahjt efr gmlahuaj` tlh fbkhmtauh}* Tlh rgtafjgch efr tlh rh}~fj}h
tf hgml drauhr wxh}tafj ox}t gc}f bh dfmxohjthd bhmgx}h at mg~txrh} tlh rhg}fj} plq gjgcq}t}
}hchmthd tlh rh}~fj}h* Gjq huadhjmh }x~~frtaj` tlh rgtafjgch# }xml g} tlh rh}xct} fe ajthruahp}
patl }q}tho }tgihlfcdhr} gjd ajefrogtafj mathd erfo }q}tho dfmxohjtgtafj ox}t gc}f bh mathd g}
phcc* Rhmfrdaj` tlh rgtafjgch gjd huadhjmh a} ao~frtgjt efr ugcadgtaj` tlh dgtg gjd g}}fmagthajefrogtafj ~rfdxmt}# efr la}tframgc ~xr~f}h}# gjd efr dhuhcf~aj` ch}}fj} chgrjhd*
72G mfjdatafja} dheajhd g} tlh mxrrhjt }tgth fe bhaj` fr h|a}thjmh* Mfjdatafj} dheajh tlh mxrrhjt }ht femarmxo}tgjmh} tlgt lguh gj ao~gmt fj }q}tho ~hrefrogjmh* G ~fthjtagc huhjta} dheajhd g} gj fmmxrrhjmh frlg~~hjaj` tlgt gcthr} mxrrhjt mfjdatafj} gjd# g} g rh}xct# mlgj`h} g }q}tho} ~hrefrogjmh mlgrgmthra}tam}YGcbhrt} 2>>1_*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
32/63
MOX&]HA/2>72/TJ/>>4 s 2>
Ea`xrh 5; Gjgcq{hd Drauhr
4*= Drauhr ^rfeach
G drauhr ~rfeach ~rfuadh} g ua}xgc }xoogrq fe tlh mxrrhjt ugcxh} fe gcc drauhr} rhchugjt tf tlh
oa}}afj gjd fbkhmtauh} bhaj` g}}h}}hd* G drauhr ~rfeach mgj bh uahphd g} g dg}lbfgrd tlgt
~rfuadh} dhma}afj ogihr} patl g `rg~lamgc }xoogrq fe mxrrhjt mfjdatafj} gjd h|~hmthd
~hrefrogjmh aj rhcgtafj tf tlh oa}}afj gjd fbkhmtauh} bhaj` ~xr}xhd bq g ~rf`rgo* At dh~amt} tlh~rfbgbacatq tlgt hgml drauhr a} aj at} }xmmh}} }tgth* G la`l ~rfbgbacatq efr g drauhr ajdamgth} tlgt tlh
drauhr lg} g la`l ~rfbgbacatq fe bhaj` aj at} }xmmh}} }tgth*
Ea`xrh 0 ~rfuadh} gj h|go~ch fe g drauhr ~rfeach efr }fetpgrh }hmxratq* Aj Ea`xrh 0# g bgr `rg~l a}
x}hd tf }lfp 70 drauhr} tlgt mfrrh}~fjd tf tlh }tgjdgrd }ht efr }fetpgrh }hmxratq# gjd
~rf`rgoogtam drauhr} grh }h~grgthd erfo tlh ~rfdxmt drauhr}* Tlh ~rfeach aj Ea`xrh 0 ajdamgth} tlgt
tlh efccfpaj` efxr drauhr} lguh g la`l ~rfbgbacatq fe bhaj` aj tlhar egacxrh }tgth}; ]hmxratq ^rfmh}}#
Mfdh ]hmxratq# Ajth`rgthd ]q}tho ]hmxratq# gjd rfdxmt ]hmxratq Ra}i Ogjg`hohjt* Tlh caihcq
}tgth} fe tlh}h efxr drauhr} }lfxcd mfjmhrj tlh ~rf`rgo} dhma}afj ogihr}*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
33/63
MOX&]HA/2>72/TJ/>>4 s 27
Ea`xrh 0; Drauhr ^rfeach
4*4 Oa}}afj Ra}i
Oa}}afj ra}ia} dheajhd g} tlh ~rfbgbacatq fe oa}}afj egacxrh ,a*h*# jft gmlahuaj` ihq fbkhmtauh}!* Aj
tla} dfmxohjt# tlh thro oa}}afj ra}ia} x}hd }qjfjqofx}cq patl tlh thro }q}thoam ra}i* Erfo tlh
ORD ~hr}~hmtauh oa}}afj ra}ia} dheajhd g} tlh ~rfbgbacatq tlgt g drauhr a} aj at} egacxrh }tgth* G}
accx}trgthd aj Ea`xrh
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
34/63
MOX&]HA/2>72/TJ/>>4 s 22
ajthjdhd tf ajmrhg}h tlh ~rfbgbacatah} fe }hchmthd drauhr} bhaj` aj tlhar }xmmh}} }tgth} gjd# g} g
rh}xct# oata`gth }q}thoam ra}i tf tlh oa}}afj ,a*h*# oata`gth oa}}afj ra}i!*
4*8 Tlh ORD; Ihq Tg}i} gjd ]th~}
Tgbch = dh}mrabh} tlh ihq tg}i} gjd }th~} tlgt ox}t bh ~hrefrohd plhj mfjdxmtaj` tlh ORD*
Tgbch =; Tlh ORD; Ihq Tg}i} gjd ]th~}
Tg}i ]th~ Dh}mra~tafj
Drauhr Adhjtaeamgtafj 7* Adhjtaeq tlh oa}}afj Tla} }th~ h}tgbca}lh} tlh tgr`ht fr efmx} fe tlh
gjgcq}a}*
2* Adhjtaeq tlh fbkhmtauh,}! Tlh }hmfjd }th~ fe drauhr adhjtaeamgtafj
dhthroajh} tlh tgj`abch fxtmfoh,}! tlgt a} fe
ajthrh}t tf dhma}afj ogihr}* Fjh fr ofrh
fbkhmtauh} grh adhjtaeahd dxraj` tla} gmtauatq*
=* Adhjtaeq drauhr} Lhrh# gjgcq}t} h}tgbca}l g }ogcc }ht ,tq~amgccq 7>/
28! fe mratamgc egmtfr} tlgt lg} g }trfj` ajecxhjmh
fj plhtlhr fr jft tlh fbkhmtauh,}! pacc bh
gmlahuhd* Tlh}h egmtfr} grh mgcchd drauhr}* Gt
tla} ~fajt# drauhr adhjtaeamgtafj a} mfo~chth*
Drauhr Gjgcq}a} 4* Hugcxgth drauhr} Fjmh tlh }ht fe drauhr} a} adhjtaeahd# drauhr
gjgcq}a} mgj bh`aj* Tlh ear}t }th~ fe drauhr
gjgcq}a} g}}h}}h} tlh ugcxh fe hgml drauhr tf
dhthroajh lfp at a} mxrrhjtcq ajecxhjmaj`
~hrefrogjmh*
8* Dfmxohjt rgtafjgch gjd
huadhjmh
Tla} }th~ rhmfrd} tlh rhg}fj} xjdhrcqaj` tlh
hugcxgtafj fe hgml drauhr ,mgcchd tlh rgtafjgch!
gjd gjq tgj`abch huadhjmh tlgt }x~~frt} tlh
rgtafjgch*
5* H}tgbca}l drauhr ~rfeach Tlh eajgc }th~ fe drauhr gjgcq}a} ~rfdxmh} g
ua}xgc }xoogrq fe tlh mxrrhjt ugcxh} fe gcc
drauhr} rhchugjt tf tlh oa}}afj gjd fbkhmtauh}
bhaj` g}}h}}hd*
Tlh ORD hjgbch} }q}thoam ra}i gjgcq}a} fe ajthrgmtauhcq mfo~ch| }q}tho} gmrf}} tlh caeh mqmch
gjd }x~~cq mlgaj* G} accx}trgthd tlrfx`lfxt tla} }hmtafj# tlh ORD dheajh} gj g~~rfgml efr
g}}h}}aj` g }q}tho} ~fthjtagc efr gmlahuaj` at} oa}}afj gjd fbkhmtauh}* Fxr hgrcq pfri aj
dhuhcf~aj` tlh ORD }lfphd at tf bh g ech|abch g~~rfgml tlgt bh g~~cahd aj ogjq daeehrhjt
~rfbcho}# ajmcxdaj` }fetpgrh gmwxa}atafj gjd dhuhcf~ohjt# mqbhr }hmxratq# gjd bx}ajh}} ~frtefcaf
ogjg`hohjt*
Fxr mxrrhjt rh}hgrml a} efmx}hd fj g~~cqaj` tlh ORD aj g }fetpgrh }hmxratq mfjth|t* Tlh
h|go~ch} ~rfuadhd tlrfx`lfxt tla} }hmtafj }lfp lfp ph lguh tgacfrhd tlh g~~rfgml efr }fetpgrh
gmwxa}atafj gjd dhuhcf~ohjt ~rf`rgo}* Aj fxr mxrrhjt rh}hgrml heefrt# ph grh ajthrh}thd aj x}aj`
tlh ORD tf darhmt gj fr`gja{gtafj} }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a} gmtauatah}* Aj tlh
jh|t }hmtafj# ph }lfp lfp tlh ORD efro} tlh bg}a} efr g ohg}xrhohjt gjd gjgcq}a} ergohpfri
tlgt ajth`rgth} }fetpgrh }hmxratq dgtg erfo oxcta~ch }fxrmh}*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
35/63
MOX&]HA/2>72/TJ/>>4 s 2=
8 Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE!
Tlh Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE! ho~cfq} }q}thoam ra}i gjgcq}a} tf
ajth`rgth }xbkhmtauh gjd fbkhmtauh dgtg erfo g ugrahtq fe }fxrmh}# ajmcxdaj` tgr`hthd gjgcq}a}#
}tgtx} rh~frtaj`# gjd ohg}xrhohjt# tf ~rfuadh dhma}afj ogihr} patl g mfj}fcadgthd uahp fe tlh
~hrefrogjmh fe ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt }q}tho}* Ph dh}a`jhd tlh ergohpfri efr
g~~camgtafj aj g ugrahtq fe mfjth|t}# ajmcxdaj` gmwxa}atafj ~rf`rgo ogjg`hohjt# }fetpgrh
dhuhcf~ohjt# gjd f~hrgtafjgc }hmxratq* Lfphuhr# fxr cfj`/thro rh}hgrml ajthrh}t} grh efmx}hd fj
g~~cqaj` tlh ergohpfri aj g }fetpgrh }hmxratq mfjth|t* Aj tla} }hmtafj# ph ~rh}hjt tlh mfjmh~txgc
dh}a`j fe tlh AOGE erfo g `hjhram ~fajt fe uahp# la`lca`ltaj` at} bg}am }trxmtxrh gjd ihq
hchohjt}* Dhtgac} gbfxt g~~cqaj` tlh ergohpfri aj g }fetpgrh }hmxratq mfjth|t grh dhehrrhd tf
extxrh rh~frt}* Ea`xrh 1 bhcfp accx}trgth} tlh bg}am }trxmtxrh fe tlh AOGE*
Ea`xrh 1; Ajth`rgthd Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE!
Tlh efccfpaj` grh tlh ihq hchohjt} fe tlh AOGE g} dheajhd aj Ea`xrh 1;
Dhma}afj Ogihrtlh ajdauadxgc fr ogjg`hohjt thgo tlgt fuhr}hh} gj ajthrgmtauhcq mfo~ch|
}fetpgrh/rhcagjt }q}tho* Tlh dhma}afj ogihr mfj}xoh} g ugrahtq fe ajefrogtafj ~rfdxmt} tf
}gta}eq dheajhd dhma}afj/ogiaj` jhhd}*
]q}thoam Ra}i Gjgcq}a}g ra}i gjgcq}a} tlgt h|goajh} tlh g``rh`gth heehmt} fe oxcta~ch
mfjdatafj} gjd huhjt} fj g }q}tho} gbacatq tf gmlahuh at} oa}}afj* ]q}thoam ra}i gjgcq}a} a}
mfjdxmthd tf }x~~frt dhma}afj ogiaj` bg}hd fj dheajhd ajefrogtafj jhhd} gjd a} x}hd patlaj
tlh AOGE tf darhmt ohg}xrhohjt# gjgcq}a}# gjd rh~frtaj` gmtauatah}* Tlh ORD# dh}mrabhd aj
]hmtafj 4# ~rfuadh} fjh pgq fe ~hrefroaj` g }q}thoam ra}i gjgcq}a} fe gj ajthrgmtauhcq
mfo~ch| }q}tho*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
36/63
MOX&]HA/2>72/TJ/>>4 s 24
Tgr`hthd Gjgcq}a}gjq gjgcq}a} tlgt gtlhr} dgtg gbfxt }~hmaeam g}~hmt} fe mfo~fjhjt}
patlaj g }q}tho gjd a} mfjdxmthd tf }x~~frt dhma}afj ogiaj` bg}hd fj dheajhd ajefrogtafj
jhhd}* Tgr`hthd gjgcq}a} ajmcxdh} ajefrogtafj gjd ijfpchd`h tlgt rh}xct} erfo tlh
g~~camgtafj fe gjgcq}a} ohtlfd}# thmljawxh}# gjd tffc}# }xml g} efrogc g}}h}}ohjt}#
hugcxgtafj}# gjd gxdat}*
]tgtx} Rh~frtaj`ajmcxdh} uhrbgc# th|txgc# gjd rg~lamgc ajefrogtafj ~rfdxmt} tlgt }x~~frtdheajhd ajefrogtafj jhhd}* ]tgtx} rh~frt} grh ~rfdxmhd aj tlh efro gjd cgj`xg`h tlgt grh
ohgjaj`exc efr dhma}afj ogihr}*
Ohg}xrhohjtgmtauatah} efr }hchmtaj`# dheajaj`# gtlhraj` gjd gjgcq{aj` ohg}xrhohjt dgtg
,ohg}xrh} gjd ajdamgtfr}! bg}hd fj dheajhd ajefrogtafj jhhd}* Ohg}xrhohjt dgtg ~rfuadh
dhma}afj ogihr} patl tlh wxgjtatgtauh ajefrogtafj tlhq jhhd tf heehmtauhcq g}}h}} g }atxgtafj
gjd# g} g rh}xct# rhdxmh xjmhrtgajtq*
Ohg}xrhohjt# tgr`hthd gjgcq}a}# gjd }tgtx} rh~frtaj` hjhrgccq ~rfuadh dhma}afj ogihr} patl
aj}a`lt ajtf tlh ~hrefrogjmh fe g }q}tho} ajdauadxgc mfo~fjhjt}* Lfphuhr# dhma}afj ogihr}
fethj lguh trfxbch g}}h}}aj` g }q}tho} ogmrf/chuhc bhlguafr erfo ajefrogtafj gbfxt at}
ajdauadxgc mfo~fjhjt}* Tlh AOGE a} dh}a`jhd tf brad`h tla} g~ bq ajth`rgtaj` ~hrefrogjmh gjd
wxgcatq dgtg efr ajdauadxgc mfo~fjhjt} tf ~rfuadh aj}a`lt ajtf tlh }q}tho} ogmrf/chuhc bhlguafr*
At mgj gc}f la`lca`lt plhrh gddatafjgc dgtg jhhd tf bh mfcchmthd bg}hd fj xjmhrtgajtah} aj tlh
ajth`rgthd dgtg }ht* Efr }hmxratq dgtg# tla} aj}a`lt mgj lhc~ adhjtaeq grhg} fe tlh }q}tho tlgt grh
uxcjhrgbch fr grh jft rhmhauaj` gdhwxgth gtthjtafj erfo g }hmxratq ~hr}~hmtauh* Tlh jh|t }hmtafj fe
tla} rh~frt dh}mrabh} g mfjmh~txgc }mhjgraf fe lfp tlh AOGE mgj bh x}hd tf darhmt ohg}xrhohjt#
gjgcq}a}# gjd rh~frtaj` gmtauatah} gjd rhdxmh }q}tho xjmhrtgajtq*
8*7 X}aj` tlh AOGE tf Darhmt Ohg}xrhohjt# Gjgcq}a}# gjd Rh~frtaj` Gmtauatah}
Ea`xrh 7> accx}trgth} g }mhjgraf tlgt }lfp} lfp tlh AOGE mgj bh x}hd tf }x~~frt dhma}afj/ogiaj`
gmtauatah}* Tlh }mhjgraf dh~amthd aj tlh ea`xrh x}h} tlh ORD tf darhmt ohg}xrhohjt# gjgcq}a}# gjdrh~frtaj` gmtauatah} efr g auhj }q}tho# }xml g} g }fetpgrh gmwxa}atafj gjd dhuhcf~ohjt ~rf`rgo*
Aj tlh }mhjgraf# ph grh ogiaj` gj g}}xo~tafj tlgt ohg}xrhohjt# gjgcq}a}# gjd rh~frtaj` dgtg grh
gcrhgdq bhaj` mfcchmthd fj gj fj`faj` bg}a}* Tla} g}}xo~tafj a} rh~rh}hjthd bq tlh ear}t }th~ aj tlh
}mhjgraf* Of}t dhma}afj ogihr} lguh g phgctl fe ajefrogtafj gt tlhar da}~f}gc* Xjefrtxjgthcq# aj
tlh ajthrjht g`h ajefrogtafj mfj}xohr} mgj hg}acq bhmfoh fuhrplhcohd bq tff oxml ajefrogtafj*
G} g rh}xct# dhma}afj ogihr} mgj lguh trfxbch mfjjhmtaj` tlh dft} gofj` tlh da}~grgth tq~h} fe
dgtg tlgt tlhq rhmhauh fj g dgacq bg}a}* Tlh AOGE a} dh}a`jhd tf lhc~ dhma}afj ogihr} ,7! }frt
tlrfx`l tlh dgtg tlhq gcrhgdq lguh# ,2! ogih dhma}afj} bg}hd fj tlh gugacgbch dgtg# gjd ,=!
dhthroajh gddatafjgc dgtg tf mfcchmt tlgt pacc rhdxmh mxrrhjt xjmhrtgajtah} tlgt grh ~rh}hjt*
Aj tlh }mhjgraf} }hmfjd }th~# g thgo a} mlgrthrhd tf ~hrefro tlh ORD x}aj` dgtg tlgt grh gcrhgdq
bhaj` mfcchmthd* Tlh thgo mfjdxmt} tlh }q}thoam ra}i gjgcq}a} gjd ~rh}hjt} tlh dhma}afj ogihr
patl tlh drauhr ~rfeach efr tlh }q}tho g} phcc g} tlh efccfpaj` dhtgachd dgtg rhcgthd tf hgml drauhr;
~f}atauh mfjdatafj} tlgt grh ajecxhjmaj` tlh drauhr} }tgth
jh`gtauh mfjdatafj} tlgt grh ajecxhjmaj` tlh drauhr} }tgth
~fthjtagc huhjt} patl ~f}atauh mfj}hwxhjmh} tlgt mfxcdajecxhjmh tlh drauhr} }tgth
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
37/63
MOX&]HA/2>72/TJ/>>4 s 28
~fthjtagc huhjt} patl jh`gtauh mfj}hwxhjmh} tlgt mfxcdajecxhjmh tlh drauhr} }tgth
xjijfpj egmtfr} tlgt mfjtrabxth tf xjmhrtgajtq rh`grdaj` tlh drauhr} }tgth
g}}xo~tafj} tlgt oa`lt bag} tlh hugcxgtafj fe tlh drauhr
Ea`xrh 7>; AOGE ]mhjgraf
Tlh dhma}afj ogihr tq~amgccq }tgrt} bq cffiaj` gt tlh drauhr ~rfeach# plaml h}tgbca}lh} g }jg~}lft
fe }q}thoam ra}i tf tlh oa}}afj ,a*h*# g }jg~}lft fe oa}}afj ra}i!* Tlh drauhr ~rfeach hjgbch} tlhdhma}afj ogihr tf adhjtaeq gmtafj} ajthjdhd tf ajmrhg}h tlh ~rfbgbacatah} fe }~hmaeam drauhr} bhaj`
aj tlhar }xmmh}} }tgth}# plaml lg} tlh heehmt fe oata`gtaj` oa}}afj ra}i*
Aj gddatafj# tlh dhma}afj ogihr ox}t cffi gt tlh xjmhrtgajtah} rhcgthd tf hgml drauhr* Tlh}h
xjmhrtgajtah} fethj rhechmt marmxo}tgjmh} plhrh tlhrh grh ijfpj g~} aj tlh xjdhrcqaj` dgtg fr
plhrh tlh dgtg mfcchmthd grh jft exccq trx}thd* Tlhq thjd tf ~x}l g drauhr} ~rfbgbacatq tfpgrd tlh
oaddch ,a*h*# hwxgccq caihcq tf bh aj at} }xmmh}} gjd egacxrh }tgth}!* Xjmhrtgajtah} ~rfuadh dhma}afj
ogihr} gj f~~frtxjatq tf mfcchmt gddatafjgc ajefrogtafj aj frdhr tf rheajh tlh gjgcq}a} fe g drauhr*
Aj tlh tlard }th~ fe tlh }mhjgraf dh~amthd aj Ea`xrh 7># tlh dhma}afj ogihr x~dgth} la} fr lhr
ohg}xrhohjt# gjgcq}a}# gjd rh~frtaj` jhhd}&rhwxarhohjt} bg}hd fj tlh fgc fe rhdxmaj`
xjmhrtgajtah} rhcgthd tf hgml drauhr* Eajgccq# aj tlh efxrtl }th~# x~dgthd ajefrogtafj jhhd} grhadhjtaeahd bg}hd fj tlh dhma}afj ogihr} rhua}hd rhwxarhohjt}* Tlh}h x~dgthd ajefrogtafj jhhd}
mgj chgd tf tlh adhjtaeamgtafj fe gddatafjgc
g}}h}}ohjt} tf ~hrefro
}tgtx} ajefrogtafj tf mfcchmt
ohg}xrh} tf mfcchmt
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
38/63
MOX&]HA/2>72/TJ/>>4 s 25
Tlh efxr }th~} ca}thd aj Ea`xrh 7> fxtcajh g bg}am ~rfmh}} efr adhjtaeqaj` ohg}xrhohjt# gjgcq}a}#
gjd rh~frtaj` dgtg tlgt jhhd tf bh mfcchmthd* G} gddatafjgc dgtg grh mfcchmthd# tlh ~rfmh}} mgj bh
rh~hgthd* Fuhr taoh# tlh rhdxmtafj aj xjmhrtgajtq rh}xctaj` erfo jhp dgtg tlgt grh mfcchmthd gjd
gjgcq{hd }lfxcd ~rfuadh dhma}afj ogihr} patl ofrh mcgratq rh`grdaj` }q}thoam ra}i tf tlh oa}}afj
gjd# g} g rh}xct# hjgbch bhtthr dhma}afj ogiaj` bg}hd fj ofrh fbkhmtauh dgtg*
8*2 G~~cqaj` A]F 781=1 Ohg}xrhohjt aj gj AOGE Mfjth|t
Tlh AOGE a} g `hjhrgc ~xr~f}h ergohpfri tlgt mgj bh ajth`rgthd patl gj fr`gja{gtafj}
ohg}xrhohjt# gjgcq}a}# gjd rh~frtaj` ~rgmtamh}* Ea`xrh 77 accx}trgth} lfp tlh A]F 781=1
ohg}xrhohjt ~rfmh}} ~rh}hjthd aj ]hmtafj 2 fe tla} rh~frt mgj bh g~~cahd patlaj gj AOGE mfjth|t*
Tlh }aj`ch ohg}xrhohjt bf| }lfpj aj tlh bg}am AOGE dag`rgo ,Ea`xrh 1! lg} bhhj h|~gjdhd tf
ajmcxdh tlh dhtgachd A]F 781=1 ohg}xrhohjt ~rfmh}} dh~amthd aj Ea`xrh 2 ,aj ]hmtafj 2 fe tla}
rh~frt!* Tlh ORD ~rfuadh} ajefrogtafj jhhd} tf tlh~cgj ohg}xrhohjtgmtauatq fe tlh A]F 781=1
ohg}xrhohjt ~rfmh}} gjd rhmhauh} ajefrogtafj ~rfdxmt}# }xml g} ohg}xrh} gjd ajdamgtfr}# erfo
tlh~hrefro ohg}xrhohjtgmtauatq*
Ea`xrh 77; Tlh AOGE aj gj A]F 781=1 Ohg}xrhohjt Mfjth|t
Bg}hd fj fxr eahcd pfri patl mx}tfohr}# ph bhcahuh tlgt tlh AOGE pacc lhc~ ~rfuadh dhma}afj
ogihr} patl tlh ajefrogtafj tlhq jhhd# plhj tlhq jhhd at# gjd aj tlh ra`lt efro* Tlh jh|t }th~ aj
fxr rh}hgrml gjd dhuhcf~ohjt gmtauatah} a} tf bh`aj ~acftaj` tlh ergohpfri patl mx}tfohr
fr`gja{gtafj} aj g }fetpgrh }hmxratq mfjth|t*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
39/63
MOX&]HA/2>72/TJ/>>4 s 20
5 Gddatafjgc Rh}hgrml Tg}i}
Tlh AOGE gjd tlh ORD efro tlh efxjdgtafj efr rh}hgrml gjd dhuhcf~ohjt gmtauatah} bhaj`
~hrefrohd bq tlh ]]OG ~rfkhmt* Aj tla} }hmtafj# ph brahecq la`lca`lt tlrhh gddatafjgc tg}i} tlgt
bxacd fj tla} efxjdgtafj; ,7! ohg}xrh adhjtaeamgtafj# ,2! }tgjdgrd og~~aj`# gjd ,=! drauhr
ofdhcaj`* Ohg}xrh adhjtaeamgtafj pacc hjgbch ~rgmtatafjhr} tf adhjtaeq gjd }hchmt }fetpgrh }hmxratq
ohg}xrh} bg}hd fj drauhr xjmhrtgajtah} ,g} adhjtaeahd bq g~~cqaj` tlh AOGE!* Patl tlh }tgjdgrd
og~~aj` tg}i# ph grh dhuhcf~aj` gj g~~rfgml efr cajiaj` }fetpgrh }hmxratq drauhr}# ~rgmtamh}# gjd
ohg}xrh} tf tlh mfjtrfc} }~hmaeahd aj mfoofjcq x}hd }hmxratq }tgjdgrd}* G} ~grt fe fxr drauhr
ofdhcaj` tg}i# ph grh bh`ajjaj` tf g~~cqaj` ~rhdamtauh gjgcqtam} aj g }fetpgrh }hmxratq mfjth|t tf
hjgbch ofrh ajefrohd dhma}afj ogiaj` tlrfx`l wxgjtatgtauh ohg}xrhohjt gjd gjgcq}a}* Fxr ajthjt
aj tla} }hmtafj a} tf ~rfuadh g mfjmh~txgc fuhruahp fe hgml tg}i* Extxrh rh~frt}# plath ~g~hr}# gjd
~rh}hjtgtafj} pacc ~rfuadh ofrh aj/dh~tl trhgtohjt} fe tlh}h tlrhh tg}i} aj g }fetpgrh }hmxratq
mfjth|t*
5*7 Ohg}xrh Adhjtaeamgtafj
Ohgjaj`exc ohg}xrhohjt gjd gjgcq}a} a} bg}hd fj mgrhexccq mfj}adhrhd gjd dheajhd ohg}xrh} tlgt
grh cajihd tf tlh oa}}afj fe tlh }q}tho bhaj` g}}h}}hd* Ea`xrh 72 ~rfuadh} g mfjmh~txgc uahp fe
lfp ohg}xrh} mgj bh cajihd tf tlh oa}}afj x}aj` tlh AOGE*
Ea`xrh 72; Caji erfo Oa}}afj tf Ohg}xrh} ,Mfjmh~txgc Uahp!
Tlh da}mx}}afj fe tlh ORD aj ]hmtafj 4 dh}mrabh} lfp tf dhmfo~f}h g oa}}afj ajtf fbkhmtauh}
gjd drauhr} x}aj` drauhr adhjtaeamgtafj* Dxraj` drauhr gjgcq}a}# tlh }ht fe drauhr} a} hugcxgthd tf
dhthroajh hgml drauhr} ajecxhjmh fj tlh }q}tho} oa}}afj gjd fbkhmtauh}* G} g rh}xct# drauhr
gjgcq}a} ~rfuadh} dhma}afj ogihr} patl aj}a`lt ajtf tlh dh`rhh fe }q}thoam ra}i gjd xjmhrtgajtq
geehmtaj` tlh oa}}afj gjd fbkhmtauh}*
Aj ~rhuafx} }hmtafj}# ph mfjmh~txgccq }lfphd lfp drauhr xjmhrtgajtah} mgj bh x}hd tf dheajh g }ht
fe ajefrogtafj jhhd} efr tgr`hthd gjgcq}a}# }tgtx} rh~frtaj`# gjd ohg}xrhohjt* Aj fxr ohg}xrh
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
40/63
MOX&]HA/2>72/TJ/>>4 s 2/8= }tgjdgrd#
plaml a} hjtatchdRhmfoohjdhd ]hmxratq Mfjtrfc} efr Ehdhrgc Ajefrogtafj ]q}tho} gjd
Fr`gja{gtafj} YJA]T 2>>1_*
Ea`xrh 7=; ]tgjdgrd Og~~aj` ,Mfjmh~txgc Uahp!
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
41/63
MOX&]HA/2>72/TJ/>>4 s 21
Bq og~~aj` }hmxratq }tgjdgrd} tf }fetpgrh }hmxratq drauhr}# ~rgmtamh}# gjd ohg}xrh}# ph mgj caji
oa}}afj/bg}hd ohg}xrhohjt gjd gjgcq}a} ,~rfuadhd bq tlh AOGE! patl gj fr`gja{gtafj} }hmxratq
mfo~cagjmh heefrt}* Dhma}afj ogihr} mgj adhjtaeq gjq mfjecamt} bhtphhj }q}tho ~hrefrogjmh gjd
tlh fr`gja{gtafj} mfo~cagjmh heefrt}* Fxr pfri rhcgthd tf tla} tg}i a} aj tlh ~rftftq~aj` }tg`h# gjd
tlh hgrcq rh}xct} cffi ~rfoa}aj`* Lfphuhr# mfj}adhrgbch pfri }tacc rhogaj}* Dhtgac} gbfxt
gddatafjgc dhuhcf~ohjt rhcgthd tf }tgjdgrd og~~aj`} pacc bh ~rfuadhd aj extxrh rh~frt}# plath~g~hr}# gjd ~rh}hjtgtafj}*
5*= Drauhr Ofdhcaj`
Plach mfjdxmtaj` fxr rh}hgrml gjd dhuhcf~ohjt gmtauatah}# ph adhjtaeahd tlh jhhd efr ~rhdamtauh
ofdhcaj` patlaj tlh da}ma~cajh fe }fetpgrh }hmxratq* Ph mgoh tf tlh mfjmcx}afj tlgt ~rhdamtauh
gjgcqtam} mfxcd ~rfuadh g bg}a} efr wxgjtaeqaj` tlh caihcalffd fe fmmxrrhjmh gjd rhcgtafj}la~}
gofj` }hmxratq hjtatah}# }xml g} drauhr}* Ph gc}f dhthroajhd tlgt ~rhdamtauh gjgcqtam} lgd tlh
~fthjtagc tf hjgbch g ofrh mfo~hccaj` gjd heeamahjt bg}a} efr ao~chohjtaj` g ohg}xrhohjt gjd
gjgcq}a} g~~rfgml ~rh}mrabhd bq tlh AOGE*
Ph adhjtaeahd g ugrahtq fe ofdhcaj` g~~rfgmlh} tlgt mfxcd bh ho~cfqhd tf wxgjtatgtauhcqao~chohjt tlh AOGE* Aj ~grtamxcgr# ph bhcahuhd tlgt tlh}h ofdhcaj` g~~rfgmlh} mfxcd ~rfuadh g
~rhdamtauh gjgcqtam} hj`ajh efr tlh ORD* Tlh mgjdadgth g~~rfgmlh} tlgt ph mfj}adhrhd ajmcxdh#
bxt grh jft caoathd tf
trgdatafjgc }tgta}tamgc mfrrhcgtafj gjd rh`rh}}afj gjgcq}a}
}q}tho} dqjgoam} ofdhcaj`
Ofjth Mgrcf }aoxcgtafj ofdhcaj`
~rfbgbaca}tam ofdhcaj` ,h*`*# Bgqh}agj Bhcahe Jhtpfri}!
Gethr mfj}adhraj` tlh dhogjd} gjd mfj}trgajt} geehmtaj` fxr rhgml ~rfkhmt# ph }hchmthd Bgqh}agj
Bhcahe Jhtpfri} ,BBJ}! g} fxr ofdhcaj` g~~rfgml* Ea`xrh 74 }lfp} fxr ajatagc BBJ dag`rgo efrtlh 70 }fetpgrh }hmxratq drauhr} tlgt ph ajtrfdxmhd aj ]hmtafj 4*7*8 fe tla} rh~frt*
Tlh BBJ aj tlh ea`xrh pacc wxgjtatgtauhcq mfjearo tlh caihcalffd fe fmmxrrhjmh fe hgml drauhr}
}tgth g} phcc g} mfjearo tlh rhcgtafj}la~} fe chgdaj` ajdamgtfr} gofj` tlh drauhr}* Efr h|go~ch#
aj Ea`xrh 74 hgml fe tlh drauhr}# rh~rh}hjthd bq tlh marmchd jfdh}# lguh fjh fr ofrh }tgth}* Tlh}h
mfxcd bh bajgrq }tgth}# }xml g} }xmmh}} gjd egacxrh# fr tlhq mfxcd x}h g }mgch fe 78* Gddatafjgccq#
hgml grrfp rh~rh}hjt} g ~fthjtagc mgx}h/gjd/heehmt rhcgtafj}la~# fr chgdaj` ajdamgtfr rhcgtafj}la~*
Efr h|go~ch# tlh efccfpaj` eauh }hmxratq drauhr} darhmtcq ajecxhjmh tlh }tgtx} fe tlh }hmxratq
fbkhmtauh# plaml a} rh~rh}hjthd bq tlh bcgmi marmchd jfdh aj Ea`xrh 74;
drauhr 7=# Ajth`rgthd ]q}tho ]hmxratq
drauhr 74# Gdf~tafj Bgrrahr}
drauhr 78# F~hrgtafjgc ]hmxratq Mfo~cagjmh
drauhr 75# F~hrgtafjgc ]hmxratq rh~grhdjh}}
drauhr 70# rfdxmt ]hmxratq Ra}i Ogjg`hohjt
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
42/63
Ea`xrh 74 Drauhr Ofdhc ,Bgqh}agj Bhcahe Jhtpfri!
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
43/63
MOX&]HA/2>72/TJ/>>4 s =7
Caihpa}h# tlh }tgtx} fe drauhr 77 ,]hmxratq Grmlathmtxrh gjd Dh}a`j! ogq bh ~rhdamthd patl
ijfpchd`h fe drauhr 8 ,]hmxratq Tg}i H|hmxtafj! gjd drauhr 7> ,]hmxratq Rhwxarhohjt}!*
Ea`xrh 74 rhechmt} }xbkhmtauh h|~hrt f~ajafj rh`grdaj` tlh rhcgtafj}la~} gofj` tlh drauhr}* Fuhr
taoh# ho~aramgc gjgcq}a} fe tlh BBJ oa`lt dhofj}trgth tlgt }foh rhcgtafj}la~} bg}hd fj h|~hrt
f~ajafj grh jft }a`jaeamgjt# plach jhp rhcgtafj}la~} oa`lt gc}f bh adhjtaeahd* Tlh rh}xct} fe tla}ho~aramgc gjgcq}a} oa`lt mgx}h tlh BBJ tf bh ofdaeahd# plhrh aj}a`jaeamgjt rhcgtafj}la~} grh
rhofuhd erfo tlh ofdhc gjd jhpcq da}mfuhrhd rhcgtafj}la~} grh gddhd*
Fuhrgcc# ph bhcahuh tlgt gj f~hrgtafjgc BBJ ofdhc tlgt chgrj} erfo gddatafjgc h|~hrahjmh gjd
dgtg pacc ~rfuh x}hexc efr adhjtaeqaj` plaml drauhr} lguh tlh rhgth}t ajecxhjmh fj gmlahuaj` tlh
}hmxratq fbkhmtauh* G} gjgcq}t} gmwxarh gddatafjgc fbkhmtauh fr }xbkhmtauh }hmxratq dgtg gbfxt
drauhr} gjd tlhar rhcgtafj}la~}# tlh ofdhc pacc chgrj erfo tla} jhp ajefrogtafj* rfbgbacatah}
g}}fmagthd patl drauhr} pacc bh x~dgthd gmmfrdaj`cq# gjd rhcgtafj}la~} gofj` drauhr} aj tlh ofdhc
pacc gc}f bh x~dgthd*
X}aj` BBJ} tf ao~chohjt tlh AOGE }lfp} mfj}adhrgbch ~rfoa}h efr ~rfuadaj` dhma}afj ogihr}
patl wxgjtatgtauh ohg}xrhohjt dgtg* Erfo g dhma}afj ogihr} ~hr}~hmtauh# BBJ} feehr gjg~~rfgml tf ofdhc rhgc/taoh fb}hrugtafj} gjd x~dgth ~rhdamtafj} patl tlh cgth}t ijfpchd`h#
tlhrhbq ~rfuadaj` dhma}afj ogihr} patl mxrrhjt gjd mfo~rhlhj}auh ajefrogtafj bhefrh ogiaj`
mratamgc dhma}afj}* Gddatafjgc dhtgac} gbfxt tla} pfri pacc bh ~rfuadhd aj extxrh rh~frt}# plath
~g~hr}# gjd ~rh}hjtgtafj}*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
44/63
MOX&]HA/2>72/TJ/>>4 s =2
0 ]xoogrq gjd Jh|t ]th~}
Efr }huhrgc qhgr}# tlh }fetpgrh hj`ajhhraj` mfooxjatq lg} bhhj pfriaj` tf adhjtaeq ~rgmtamh}
gaohd gt dhuhcf~aj` ofrh }hmxrh }fetpgrh* Gctlfx`l }foh efxjdgtafjgc pfri lg} bhhj ~hrefrohd
tlrfx`lfxt tlh mfooxjatq# heefrt} tf ohg}xrh }fetpgrh }hmxratq g}}xrgjmh lguh qht tf ogthragca{h
aj gjq }xb}tgjtauh eg}lafj* G} g rh}xct# dhma}afj ogihr} ,h*`*# dhuhcf~ohjt ~rf`rgo gjd ~rfkhmt
ogjg`hr}# gmwxa}atafj ~rf`rgo feeamh}! cgmi mfjeadhjmh aj tlh }hmxratq mlgrgmthra}tam} fe tlhar
}fetpgrh/rhcagjt }q}tho}*
Aj ]h~thobhr 2>>1# tlh ]HA MHRT
^rf`rgo mlgrthrhd tlh ]]OG rfkhmt tf gdugjmh tlh }tgth/fe/
tlh/~rgmtamh aj }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a}* Tlh ]]OG rfkhmt a} rh}hgrmlaj` gjd
dhuhcf~aj` ergohpfri}# ohtlfd}# gjd tffc} efr ohg}xraj` gjd ofjatfraj` tlh }hmxratq
mlgrgmthra}tam} fe ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt }q}tho} gmrf}} tlh caeh mqmch gjd }x~~cq
mlgaj*
Tlh ]]OG^rfkhmt bxacd} fj tlh MHRT rf`rgo} mfrh mfo~hthjmh aj }fetpgrh gjd ajefrogtafj}hmxratq g} phcc g} tlh ]HA} pfri aj }fetpgrh hj`ajhhraj` ohg}xrhohjt gjd gjgcq}a}* Tlh ogaj
~xr~f}h fe tla} ~rfkhmt a} tf gddrh}} tlh efccfpaj` tpf wxh}tafj};
7* Lfp df ph h}tgbca}l# }~hmaeq# gjd ohg}xrh kx}taeahd mfjeadhjmh tlgt ajthrgmtauhcq mfo~ch|
}fetpgrh/rhcagjt }q}tho} grh }xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd}6
2* Lfp df ph ohg}xrh gt hgml ~lg}h fe tlh dhuhcf~ohjt fr gmwxa}atafj caeh mqmch tlgt tlh
rhwxarhd&dh}arhd chuhc fe }hmxratq lg} bhhj gmlahuhd6
Tla} rh~frt ~raogracq efmx}h} fj gj}phraj` tlh ear}t rh}hgrml wxh}tafj* At ~rh}hjt} g ra}i/bg}hd
g~~rfgml efr h}tgbca}laj`# }~hmaeqaj`# gjd ohg}xraj` kx}taeahd mfjeadhjmh tlgt ajthrgmtauhcq
mfo~ch| }fetpgrh/rhcagjt }q}tho} grh }xeeamahjtcq }hmxrh tf ohht f~hrgtafjgc jhhd}*
0*7 Tlh AOGE gjd tlh ORD
Tlh ogaj mfjmh~txgc ergohpfri dhuhcf~hd xjdhr tlh ]]OG ~rfkhmt a} tlh Ajth`rgthd
Ohg}xrhohjt gjd Gjgcq}a} Ergohpfri ,AOGE!# plaml a} dh~amthd aj Ea`xrh 78* Tlh AOGE
ho~cfq} }q}thoam ra}i gjgcq}a} tf ajth`rgth }xbkhmtauh gjd fbkhmtauh dgtg erfo g ugrahtq fe
}fxrmh}# ajmcxdaj` tgr`hthd gjgcq}a}# }tgtx} rh~frtaj`# gjd ohg}xrhohjt# tf ~rfuadh dhma}afj
ogihr} patl g mfj}fcadgthd uahp fe tlh ~hrefrogjmh fe ajthrgmtauhcq mfo~ch| }fetpgrh/rhcagjt
}q}tho}*
Aj hjhrgc# tgr`hthd gjgcq}a}# }tgtx} rh~frtaj`# gjd ohg}xrhohjt gmtauatah} ~rfuadh uhrq dhtgachd
dgtg gbfxt g }q}tho} mratamgc mfo~fjhjt}* Efr ajthrgmtauhcq mfo~ch| }q}tho}# dhma}afj ogihr}fethj lguh trfxbch mfjjhmtaj` tlh dft} gofj` tlh uhrq dhtgachd# da}~grgth dgtg gugacgbch tf
tlho* G} g rh}xct# dhma}afj ogihr} mgj eajd at daeeamxct tf xjdhr}tgjd g }q}tho} ogmrf/chuhc
bhlguafr bg}hd fj gugacgbch ajefrogtafj* Tlh AOGE a} dh}a`jhd tf brad`h tla} `g~ bq ajth`rgtaj`
~hrefrogjmh dgtg efr ajdauadxgc mfo~fjhjt} tf ~rfuadh aj}a`lt ajtf tlh }q}tho} bhlguafr* At mgj
gc}f la`lca`lt plhrh gddatafjgc dgtg jhhd tf bh mfcchmthd bg}hd fj xjmhrtgajtah} aj tlh ajth`rgthd
dgtg }ht*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
45/63
MOX&]HA/2>72/TJ/>>4 s ==
Tlh mhjthr~ahmh fe tlh AOGE a} g }q}thoam ra}i gjgcq}a} g~~rfgml tlgt h|goajh} tlh g``rh`gth
heehmt} fe oxcta~ch mfjdatafj} gjd huhjt} fj g }q}tho} gbacatq tf gmlahuh at} oa}}afj* ]q}thoam
ra}i gjgcq}a} a} mfjdxmthd tf }x~~frt dhma}afj ogiaj` bg}hd fj dheajhd ajefrogtafj jhhd} gjd a}
x}hd patlaj tlh AOGE tf darhmt ohg}xrhohjt# gjgcq}a}# gjd rh~frtaj` gmtauatah}* Tlh ]]OG
~rfkhmt a} dhuhcf~aj` tlh Oa}}afj Ra}i Dag`jf}tam ,ORD! tf hjgbch }q}thoam gjgcq}a} g}
~rh}mrabhd bq tlh AOGE*
Ea`xrh 78; Tlh AOGE Rhua}athd
Tlh ORD mfo~ra}h} tpf ogaj tg}i}; drauhr adhjtaeamgtafj gjd drauhr gjgcq}a}* Tlh ogaj `fgc fe
drauhr adhjtaeamgtafj a} tf h}tgbca}l g }ht fe egmtfr}# mgcchd drauhr}# tlgt mgj bh x}hd tf ohg}xrh~hrefrogjmh aj rhcgtafj tf g ~rf`rgo} oa}}afj gjd fbkhmtauh}* Fjmh tlh }ht fe drauhr} a}
h}tgbca}lhd# gjgcq}t} tlhj ho~cfq drauhr gjgcq}a} tf hugcxgth hgml drauhr aj tlh }ht*
Drauhr gjgcq}a} hjgbch} gjgcq}t} tf hugcxgth tlh mxrrhjt }tgth fe hgml drauhr ,a*h*# lfp at a} geehmtaj`
mxrrhjt ~hrefrogjmh! gjd h}tgbca}l g drauhr ~rfeach efr tlh oa}}afj* Tlh ~xr~f}h fe tlh drauhr
~rfeach a} tf h}tgbca}l g }jg~}lft fe tlh dh`rhh fe }q}thoam ra}i mxrrhjtcq geehmtaj` tlh oa}}afj ,a*h*#
g }jg~}lft fe oa}}afj ra}i!* Tlh drauhr ~rfeach hjgbch} tlh dhma}afj ogihr tf adhjtaeq gmtafj}
ajthjdhd tf ajmrhg}h tlh ~rfbgbacatah} fe }~hmaeam drauhr} bhaj` aj tlhar }xmmh}} }tgth}# plaml# aj
txrj# oata`gth} oa}}afj ra}i*
Tlh dhma}afj ogihr ox}t gc}f mfj}adhr xjmhrtgajtah} rhcgthd tf hgml drauhr* Tlh}h xjmhrtgajtah}
fethj rhechmt marmxo}tgjmh} plhrh tlhrh grh ijfpj `g~} aj tlh xjdhrcqaj` dgtg fr plhrh tlh dgtg
mfcchmthd grh jft exccq trx}thd* Tlhq thjd tf ajecxhjmh g drauhr} ~rfbgbacatq tfpgrd tlh oaddch
,a*h*# hwxgccq caihcq tf bh aj at} }xmmh}} gjd egacxrh }tgth}!* Xjmhrtgajtah} ~rfuadh dhma}afj ogihr}
gj f~~frtxjatq tf mfcchmt gddatafjgc ajefrogtafj ,uag tgr`hthd gjgcq}a}# }tgtx} rh~frtaj`# gjd
ohg}xrhohjt! aj frdhr tf rheajh tlh gjgcq}a} fe g drauhr* Fuhr taoh# tlh rhdxmtafj aj xjmhrtgajtq
rh}xctaj` erfo jhp dgtg tlgt grh mfcchmthd gjd gjgcq{hd }lfxcd ~rfuadh dhma}afj ogihr} patl ofrh
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
46/63
MOX&]HA/2>72/TJ/>>4 s =4
mcgratq rh`grdaj` }q}tho ~hrefrogjmh gjd# g} g rh}xct# hjgbch bhtthr dhma}afj ogiaj` bg}hd fj
ofrh fbkhmtauh dgtg*
Hgrcq uhr}afj} fe tlh ORD lguh bhhj ~acfthd aj g ugrahtq fe grhg}# ajmcxdaj` }fetpgrh gmwxa}atafj
gjd dhuhcf~ohjt ~rf`rgo}# mqbhr }hmxratq ~rfmh}}h}# gjd bx}ajh}} ~frtefcaf ogjg`hohjt* Ph grh
mxrrhjtcq cffiaj` tf ~acft tlh AOGE gjd tlh ORD aj g }fetpgrh }hmxratq mfjth|t* Tlh `fgc a} tf
g}}h}} }fetpgrh }hmxratq dxraj` g }q}tho} gmwxa}atafj gjd dhuhcf~ohjt gjd lhc~ dhma}afj ogihr}
adhjtaeq }fetpgrh }hmxratq ohg}xrh} tlgt pacc lhc~ tlho rhdxmh }q}thoam ra}i gjd xjmhrtgajtq*
0*2 Gddatafjgc Rh}hgrml
Tlh AOGE gjd tlh ORD }hruh g} tlh efxjdgtafj efr ]]OG rh}hgrml gjd dhuhcf~ohjt gmtauatah}*
Bxacdaj` x~fj tla} efxjdgtafj# ph lguh ~xr}xhd tlh efccfpaj` tlrhh gddatafjgc rh}hgrml gjd
dhuhcf~ohjt tg}i} dxraj` tlh ~g}t tpf qhgr};
ohg}xrh adhjtaeamgtafjgj g~~rfgml efr adhjtaeqaj` ~rgmtamh} gjd ohg}xrh} rhcgthd tf g
`auhj drauhr
}tgjdgrd og~~aj`g ohgj} fe og~~aj` mfooxjatq }tgjdgrd} tf drauhr}# ~rgmtamh}# gjd
ohg}xrh}
drauhr ofdhcaj` gj g~~rfgml efr x}aj` ~rhdamtauh gjgcqtam} g} g wxgjtatgtauh bg}a} efr
ao~chohjtaj` tlh AOGE
Gctlfx`l hgml fe tlh gbfuh tg}i} a} hgrcq aj at} dhuhcf~ohjt# hgrcq rh}xct} cffi ~rfoa}aj`*
0*= Jh|t ]th~}
Tla} rh~frt mfjmcxdh} fxr ajatagc ~lg}h fe rh}hgrml gjd dhuhcf~ohjt rhcgthd tf }fetpgrh }hmxratq
ohg}xrhohjt gjd gjgcq}a}* Ph lguh h}tgbca}lhd g bg}a} efr extxrh ohg}xrhohjt gjd gjgcq}a}
gmtauatah} tlfx`l fxr pfri aj tlh efccfpaj` grhg};
dheajatafj fe g ohg}xrhohjt gjd gjgcq}a} ergohpfri ,tlh AOGE!
dhuhcf~ohjt fe g ohtlfd efr ~hrefroaj` }q}thoam gjgcq}a} fe ajthrgmtauhcq mfo~ch| }q}tho}
,tlh ORD!
adhjtaeqaj` ohgjaj`exc ohg}xrh} ,ohg}xrh adhjtaeamgtafj!
og~~aj` }tgjdgrd} tf drauhr}# ~rgmtamh}# gjd ohg}xrh} ,}tgjdgrd og~~aj`!
g~~cqaj` ~rhdamtauh gjgcqtam} tf }fetpgrh }hmxratq x}aj` BBJ} ,drauhr ofdhcaj`!
Tlh ogaj ho~lg}a} fe fxr hgrcq rh}hgrml gjd dhuhcf~ohjt gmtauatah} lg} bhhj tlh dhuhcf~ohjt fe
tlh AOGE gjd tlh ORD# plaml lguh bhhj ~rh}hjthd aj tla} rh~frt* Tlh `fgc} fe fxr jh|t ~lg}h grh
tf ,7! ~acft gjd rheajh tlh AOGE gjd tlh ORD aj g }fetpgrh }hmxratq mfjth|t gjd ,2! mfjtajxh
rh}hgrml gjd dhuhcf~ohjt gmtauatah} rhcgthd tf ohg}xrh adhjtaeamgtafj# }tgjdgrd og~~aj`# gjddrauhr ofdhcaj`* Ph bhcahuh tlgt fxr pfri aj }fetpgrh }hmxratq ohg}xrhohjt gjd gjgcq}a} lfcd}
mfj}adhrgbch ~rfoa}h efr tlh extxrh* Ph lf~h tf bxacd fj tlh efxjdgtafjgc pfri dh}mrabhd aj tla}
rh~frt aj tlh qhgr} tf mfoh*
8/2/2019 Risk-Based Measurement and Analysis: Application to Software Security
47/63
MOX&]HA/2>72/TJ/>>4 s =8
G~~hjda|; ]tgjdgrd ]ht fe Drauhr} efr ]fetpgrh ]hmxratq
Tla} g~~hjda| ~rfuadh} g ~rftftq~h }ht fe drauhr wxh}tafj} efr g}}h}}aj` }fetpgrh }hmxratq g}
dh}mrabhd aj ]hmtafj 4*7*8* Tla} }ht fe drauhr} a} dhrauhd erfo tlh efccfpaj` }fetpgrh }hmxratq
fbkhmtauh; Plhj tlh }q}tho a} dh~cfqhd# }hmxratq ra}i} tf tlh dh~cfqhd }q}tho pacc bh patlaj gj
gmmh~tgbch tfchrgjmh*
Gt tla} ~fajt aj taoh# tlh }ht f