| # |
ID |
PAPER |
TAXONOMY |
LEVEL 0 |
LEVEL 1 |
LEVEL 2 |
LEVEL 3 |
LEVEL 4 |
METRIC |
KEY WORD |
DEFINITION |
SCALE |
SCOPE |
AUTOMATION |
MEASUREMENT |
WHAT? |
USABLE |
EXECUTION TIME |
INFORMATION OBTAINED |
REASON |
|
|
|
| 5 |
2 |
|
YES |
Vulnerability metrics |
Measuring User Vulnerabilities |
Password Vulnerabilities |
- |
- |
Entropy |
PASSWORD |
|
|
USER |
AUTOMATIC |
STATIC |
- |
YES |
|
|
This could be used with keys instead of passwords to measure randomness |
|
* |
This information was induced by me |
| 8 |
2 |
|
YES |
Vulnerability metrics |
Measuring Interface-Induced Vulnerabilities |
- |
- |
- |
Attack surface |
SURFACE |
It aim to measure the ways by which an attacker can compromise a targeted software |
ABSOLUTE |
DEVICE |
|
STATIC |
DEVICE |
YES |
|
|
|
|
|
|
| 9 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Temporal Attributes of Vulnerabilities |
Evolution of vulnerabilities |
- |
Historical vulnerability metric |
VULNERABILITY |
It measures the degree that a system is vulnerable (i.e., frequency of vulnerabilities) in the past |
RATIO BSOLUTE ISTRIBUTION |
DEVICE |
|
STATIC |
|
YES |
|
|
This could be part of a checklist of task, to check if there is any vulnerability that affects the device |
|
|
|
| 10 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Temporal Attributes of Vulnerabilities |
Evolution of vulnerabilities |
- |
Historically exploited vulnerability metric |
VULNERABILITY |
It measures the number of vulnerabilities exploited in the past |
RATIO BSOLUTE ISTRIBUTION |
DEVICE |
|
STATIC |
|
YES |
|
|
This could be part of a checklist of task, to check if there is any vulnerability that affects the device |
|
|
|
| 13 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Temporal Attributes of Vulnerabilities |
Evolution of vulnerabilities |
- |
Tendency-to-be-exploited metric |
|
It measures the tendency that a vulnerability may be exploited, where the “tendency” may be derived from information sources such as posts on Twitter before vulnerability disclosures |
RATIO BSOLUTE ISTRIBUTION |
DEVICE |
|
STATIC |
|
¿? |
|
|
This research work might not be part of a security evaluation, but could be applied if so |
|
|
|
| 15 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Exploitability Metrics |
Attack vector |
|
Describes whether a vulnerability can be exploited remotely, adjacently, locally, or physically (i.e., attacker must have physical access to the computer) |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 16 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Exploitability Metrics |
Attack complexity |
|
Describes the conditions that must hold before an attacker can exploit the vulnerability, such as low or high |
ORDINA |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 17 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Exploitability Metrics |
Privilege required |
|
Describes the level of privileges that an attacker must have in order to exploit a vulnerability, such as none, low, or high |
ORDINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 18 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Exploitability Metrics |
User interaction |
|
Describes whether the exploitation of a vulnerability requires the participation of a user (other than the attacker), such as none or required |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 19 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Exploitability Metrics |
Authorization scope |
|
Describes whether or not a vulnerability has an impact on resources beyond its privileges (e.g., sandbox or virtual machine), such as unchanged or changed |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 20 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Impact Metrics |
Confidentiality impact |
CONFIDENTIALITY |
The impact of a successful exploitation of a vulnerability in terms of confidentiality such as none, low, high |
ORDINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 21 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Impact Metrics |
Integrity impact |
|
The impact of a successful exploitation of a vulnerability in terms of integrity such as none, low, high |
ORDINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 22 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
Impact Metrics |
Availability impact |
AVAILABILITY |
The impact of a successful exploitation of a vulnerability in terms of availability, such as none, low, high |
ORDINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 23 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
CVSS Temporal Metrics |
Exploit code maturity |
|
The likelihood a vulnerability can be attacked based on the current exploitation techniques, such as undefined, unproven, proof-of-concept, functional, or high |
ORDINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 24 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
CVSS Temporal Metrics |
Remediation level |
|
Describes whether or not a remediation method is available for a given vulnerability, such as undefined, unavailable, workaround, temporary fix, or official fix |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 25 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
CVSS Temporal Metrics |
Report confidence |
|
Measures the level of confidence for a given vulnerability as well as known technical details, such as unknown, reasonable, or confirmed |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 26 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of Individual Software Vulnerabilities |
CVSS Base |
CVSS Environmental Metrics |
Security requirement |
|
Describes environment-dependent security requirements in terms of confidentiality, integrity, and availability, such as not defined, low, medium, or high |
NOMINAL |
SOFTWARE |
|
STATIC |
|
YES |
|
|
For calculating new vulnerabilities, or to know each dimension of known vulnerabilities |
|
|
|
| 29 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of a Collection of Vulnerabilities |
Deterministic Severity Metrics (attack graphs) |
Effort metrics |
Necessary defense metric |
|
It estimates a minimal set of defense countermeasures necessary for thwarting a certain attack |
- |
DEVICE |
|
STATIC |
|
YES |
|
|
This is related with the defenses that are necesary to implement so the system is secure for a certain vulnerability |
|
|
|
| 30 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of a Collection of Vulnerabilities |
Deterministic Severity Metrics (attack graphs) |
Effort metrics |
Effort-to-security-failure metric |
EFFORT |
It measures an attacker’s effort to reach its goal state |
- |
DEVICE |
|
DYNAMIC* |
|
YES |
|
|
Although it might be difficult to estimate, this could be also included in the evaluation process |
|
|
|
| 31 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of a Collection of Vulnerabilities |
Deterministic Severity Metrics (attack graphs) |
Effort metrics |
Weakest adversary metric |
EFFORT |
It estimates minimum adversary capabilities required to achieve an attack goal |
- |
DEVICE |
|
DYNAMIC* |
|
¿? |
|
|
If the effort can be calculated in an objective manner, this could be used in embedded systems |
|
|
|
| 33 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of a Collection of Vulnerabilities |
Probabilistic Severity Metrics |
Metrics treating CVSS scores as atomic parameters |
Likelihood of exploitation |
|
It measures the probability that an exploit will be executed by an attacker with certain capabilities |
- |
SOFTWARE |
|
STATIC |
|
¿? |
|
|
This is related with statistics and risk assessment. It could be applied |
|
|
|
| 34 |
2 |
|
YES |
Vulnerability metrics |
Measuring Software Vulnerabilities |
Severity of a Collection of Vulnerabilities |
Probabilistic Severity Metrics |
Metrics not treating CVSS scores as atomic parameters |
Effective base metric / scope |
|
Given an attack graph and a subset of exploits, the effective base metric aims to adjust the CVSS base metric by taking the highest value of the ancestors of an exploit to reflect the worst-case scenario, while the effective base score metric is calculated based on the effective base metric |
- |
SOFTWARE |
|
STATIC |
|
- |
|
|
- |
|
|
|
| 35 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for Blacklisting |
- |
- |
Reaction time metric |
TIME |
It captures the delay between the observation of the malicious entity at time t and the blacklisting of the malicious entity at time t (i.e., t − t) |
ABSOLUTE |
DEVICE |
|
DYNAMIC |
|
YES |
|
|
If the device has any kind of detection mechanism, this could be used. Detection and reaction might have different times |
|
|
|
| 36 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for Blacklisting |
- |
- |
Coverage metric |
COVERAGE |
It estimates the portion of blacklisted malicious players |
ORDINAL |
DEVICE |
|
STATIC |
|
YES |
|
|
This could be used, but the device has to have a blacklist |
|
|
|
| 37 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for DEP |
- |
- |
NO METRIC IS DEFINED |
|
No metrics have been defined to measure the effectiveness of DEP. The effectiveness of DEP can be measured based on the probability of being compromised by a certain attack A(t) over all possible classes of attacks |
- |
DEVICE |
|
- |
|
- |
|
|
No metric is defined |
|
|
|
| 38 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for CFI |
- |
- |
Average indirect target reduction |
|
It counts the overall reduction of targets for any indirect control-flow transfer. It measures the overall reduction in terms of the number of targets exploitable by the attacker where smaller targets are more secure |
ABSOLUTE |
UNKNOWN |
|
UNKNOWN |
|
UNKNOWN |
|
|
UNKNOWN |
|
|
|
| 39 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for CFI |
- |
- |
Average target size |
|
Ratio between the size of the largest target and the number of targets |
- |
UNKNOWN |
|
UNKNOWN |
|
UNKNOWN |
|
|
UNKNOWN |
|
|
|
| 40 |
2 |
|
YES |
Defense metrics |
Strength of Preventive Defenses |
Metrics for CFI |
- |
- |
Evasion resistance |
|
It is measured against control flow bending attacks, reflecting the effort (or premises) that an attacker must make (or satisfy) for evading the CFI scheme |
- |
UNKNOWN |
|
UNKNOWN |
|
UNKNOWN |
|
|
UNKNOWN |
|
|
|
| 41 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Reactive Defenses |
Metrics for Monitoring |
- |
- |
Coverage metric |
COVERAGE |
It measures the fraction of events detectable by a specific sensor deployment, reflecting a defender’s need in monitoring events |
- |
DEVICE |
|
DYNAMIC |
|
UNKNOWN |
|
|
UNKNOWN |
|
|
|
| 42 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Reactive Defenses |
Metrics for Monitoring |
- |
- |
Redundancy metric |
|
It estimates the amount of evidence provided by a specific sensor deployment to detect an event |
- |
DEVICE |
|
DYNAMIC |
|
YES |
|
|
This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software) |
|
|
|
| 43 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Reactive Defenses |
Metrics for Monitoring |
- |
- |
Confidence metric |
|
It measures how well-deployed sensors detect an event in the presence of compromised sensors |
- |
DEVICE |
|
DYNAMIC |
|
YES |
|
|
This can be applied to devices as a whole, to check any mechanism of intrusion detection (mostly, tanti-tampering and software) |
|
|
|
| 45 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Reactive Defenses |
Metrics for Detection Mechanisms |
Individual Strength of Defense Mechanisms |
- |
Detection time |
TIME |
For instrument-based attack detection, this metric is used to measure the delay between the time t0 at which a compromised computer sends its first scan packet and the time t that a scan packet is observed by the instrument |
- |
UNKNOWN |
|
UNKNOWN |
|
UNKNOWN |
|
|
UNKNOWN |
|
|
|
| 57 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Proactive Defenses |
Address Space Layout Randomization (ASLR) |
- |
- |
ASLR-induced Effective entropy metric |
|
Measure of entropy in user space memory which quantitatively considers an adversary’s ability to leverage low entropy regions of memory via absolute and dynamic inter-section connections |
- |
SOFTWARE |
|
DYNAMIC |
OS |
YES |
|
|
If the device runs an OS, this could be applied |
|
|
|
| 59 |
2 |
|
YES |
Defense metrics |
Measuring the Strength of Overall Defenses |
- |
- |
- |
Penetration resistance (PR) |
|
Running a penetration test to estimate the level of effort (e.g., person-day or cost) required for a red team to penetrate into a system |
- |
DEVICE ETWORK |
|
DYNAMIC |
|
YES |
|
|
Penetration testing is a really common way to test this kind of device |
|
|
|
| 82 |
2 |
|
YES |
Situation metrics |
Measuring Security State |
Model-Driven Metrics |
- |
- |
Probability a computer is compromised at time t |
|
It quantifies the degree of security in enterprise systems by using modeling techniques based on a holistic perspective |
- |
DEVICE ETWORK |
|
¿? |
|
¿? |
|
|
Although this is a network-oriented metric, this might be adapted to be used with an embedded system |
|
|
|
| 85 |
2 |
|
YES |
Situation metrics |
Measuring Security Incidents |
Frequency of Security Incidents |
- |
- |
Blocking rate |
|
The rate an encountered attack is successfully defended by a deployed defense |
- |
NETWORK |
|
DYNAMIC |
|
¿? |
|
|
Although this is a network-oriented metric, this might be adapted to be used with an embedded system (maybe for a penetration test) |
|
|
|
| 89 |
2 |
|
YES |
Situation metrics |
Measuring Security Incidents |
Frequency of Security Incidents |
- |
- |
Time-to-first-compromise metric |
TIME |
Estimates the duration of time between when a computer starts to run and the first malware alarm is triggered on the computer where the alarm indicates detection rather than infection |
- |
DEVICE |
|
DYNAMIC |
|
YES |
|
|
This can be used in embedded systems, but it might not be suitable for a security evaluation (maybe for a penetration test) |
|
|
|
| 96 |
10 |
|
YES |
Host-based |
Without Probability Values |
- |
- |
- |
Attack Impact |
|
It is the quantitative measure of the potential harm caused by an attacker to exploit a vulnerability |
- |
NETWORK |
|
STATIC |
|
|
|
|
|
|
|
|
| 97 |
10 |
|
YES |
Host-based |
Without Probability Values |
- |
- |
- |
Attack Cost |
COST |
It is the cost spent by an attacker to successfully exploit a vulnerability (i.e., security weakness) on a host |
- |
NETWORK |
|
STATIC YNAMIC |
|
YES |
|
|
This is related to network, but this could be applicable to devices too |
|
|
|
| 100 |
10 |
|
YES |
Host-based |
Without Probability Values |
- |
- |
- |
Mean-time-to-compromise (MTTC) |
TIME |
It is used to measure how quickly a network can be penetrated |
- |
NETWORK |
|
DYNAMIC |
|
¿? |
|
|
This is no directly applicable, but its equivalent would be a penetration attack in an embedded system |
|
|
|
| 101 |
10 |
|
YES |
Host-based |
Without Probability Values |
- |
- |
- |
Mean-time-to-recovery (MTTR) |
TIME |
It is used to assess the effectiveness of a network to recovery from an attack incidents. It is defined as the average amount of time required to restore a system out of attack state |
- |
NETWORK |
|
DYNAMIC |
|
¿? |
|
|
Although this is developed for networks, the same concept can be translated into embeded systems |
|
|
|
| 105 |
10 |
|
YES |
Host-based |
Without Probability Values |
- |
- |
- |
Return on Attack |
|
The gain the attacker expects from successful attack over the losses he sustains due to the countermeasure deployed by his target |
- |
NETWORK |
|
¿? |
|
¿? |
|
|
Network-related, but it scent can be translated into embedded systems |
|
|
|
| 106 |
10 |
|
YES |
Host-based |
With Probability Values |
- |
- |
- |
Common Vulnerability Scoring System (CVSS) - Overall value |
VULNERABILITY |
The overall score is determined by generating a base score and modifying it through the temporal and environmental formulas |
- |
DEVICE |
|
STATIC |
|
YES |
|
|
This could be used tohether with other metics to obtain a numeric value |
|
|
|
| 107 |
10 |
|
YES |
Host-based |
With Probability Values |
- |
- |
- |
Probability of Vulnerability Exploited |
VULNERABILITY |
It is used to assess the likelihood of an attacker exploiting a specific vulnerability on a host |
- |
SOFTWARE ARDWARE ETWORK |
|
STATIC |
|
¿? |
|
|
Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems |
|
|
|
| 108 |
10 |
|
YES |
Host-based |
With Probability Values |
- |
- |
- |
Probability of attack detection |
|
It is used to assess the likelihood of a countermeasure to successfully identify the event of an attack on a target |
- |
SOFTWARE ARDWARE ETWORK |
|
DYNAMIC |
|
¿? |
|
|
Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems |
|
|
|
| 109 |
10 |
|
YES |
Host-based |
With Probability Values |
- |
- |
- |
Probability of host compromised |
|
It is used to assess the likelihood of an attacker to successfully compromise a target |
- |
HARDWARE OFTWARE ETWORK |
|
STATIC YNAMIC |
|
¿? |
|
|
Network-related metric. This is also related to risk assessment. Can be traslated into embedded systems |
|
|
|
| 137 |
4 |
|
YES |
- |
- |
- |
- |
- |
Number of bits leaked (mean privacy) |
DATA |
|
|
NETWORK |
SEMI-AUTOMATIC |
STATIC |
|
¿? |
|
|
If adapted, this metric can be used to test memory related vulnerabilities |
|
|
|
| 139 |
5 |
|
NO |
- |
- |
- |
- |
- |
rav |
OPSEC |
It is a scale measurement of the attack surface, the amount of uncontrolled interactions with a target, which is calculated by the quantitative balance between operations, limitations, and controls |
- |
|
|
|
|
|
|
|
|
|
|
|
| 141 |
11 |
|
YES |
Churn |
- |
- |
- |
- |
Churn |
CODE |
Count of Source Lines of Code that has been added or changed in a component since the previous revision of the software |
- |
SOFTWARE |
- |
- |
|
- |
|
|
|
|
|
|
| 148 |
11 |
|
YES |
Churn |
- |
- |
- |
- |
Relative churn |
CODE |
Normalized by parameters such as lines of code, files counts |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
|
|
|
|
|
|
|
| 149 |
11 |
|
YES |
Churn |
- |
- |
- |
- |
Repeat frequency |
CODE |
The number of consecutive edits that are performed on a binary |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
|
|
|
|
|
|
|
| 150 |
11 |
|
YES |
Churn |
- |
- |
- |
- |
Total churn |
CODE |
The total added, modified, and deleted lines of code of a binary during the development |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
|
|
|
|
|
|
|
| 155 |
11 |
|
YES |
Complexity* |
- |
- |
- |
- |
Cyclomatic number |
CODE |
M = E − N + P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components. |
|
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 158 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Fan in (FI) |
COUPLING |
Number of inputs a function uses. Inputs include parameters and global variables that are used (read) in the function / Number of functions calling a function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 159 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Fan out (FO) |
COUPLING |
Number of outputs that are set. The outputs can be parameters or global variables (modified) / Number of functions called by a function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 162 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Max fan in |
CODE |
The largest number of inputs to a function such as parameters and global variables |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 163 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Max fan out |
CODE |
The largest number of assignment to the parameters to call a function or global variables |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 164 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
MaxMaxNesting |
CODE |
The maximum of MaxNesting in a file |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 165 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
MaxNesting |
CODE |
Maximum nesting level of control constructs such as if or while statements in a function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 166 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Nesting complexity |
CODE |
Maximum nesting level of control constructs (if, while, for, switch, etc.) in the function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 167 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Number of children (NOC) |
CODE |
Number of immediate sub-classes of a class or the count of derived classes. If class CA inherits class CB, then CB is the base class and CA is the derived class. In other words, CA is the children of class CB, and CB is the parent of class CB. |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 168 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
SumCyclomaticStrict |
CODE |
The sum of the strict cyclomatic complexity, where strict cyclomatic complexity is defined as the number of conditional statements in a function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 169 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
SumEssential |
CODE |
The sum of essential complexity, where essential complexity is defined as the number of branches after reducing all the programming primitives such as a for loop in a function’s control flow graph into a node iteratively until the graph cannot be reduced any further. Completely well-structured code has essential complexity 1 |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 170 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
SumFanIn |
CODE |
The sum of FanIn, where FanIn is defined as the number of inputs to a function such as parameters and global variables |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 171 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
SumFanOut |
CODE |
The sum of FanOut, where FanOut is defined as the number of assignment to the parameters to call a function or global variables |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 172 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
SumMaxNesting |
CODE |
The sum of the MaxNesting in a file, where MaxNesting is defined as the maximum nesting level of control constructs such as if or while statements in a function |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 173 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
McCabe Cyclomatic Complexity |
CODE |
M = E − N + 2P, where E = the number of edges of the graph. N = the number of nodes of the graph. P = the number of connected components |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 174 |
11 |
|
YES |
Complexity |
- |
- |
- |
- |
Weighted methods per class (WMC) |
CODE |
Number of local methods defined in the class |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 181 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Administrator and operator logs |
LOG |
Total number corrective actions taken after specific event is recorded in log / total number of events recorded in log * 100 |
- |
|
|
|
|
|
|
|
|
|
|
|
| 187 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Accessor Attribute Interactions (CAAI) |
CODE |
The ratio of the sum of all interactions between accessors and classified attributes to the possible maximum number of interactions between accessors and classified attributes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 188 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Attributes Interaction Weight (CAIW) |
CODE |
The ratio of the number of all interactions with classified attributes to the total number of all interactions with all attributes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 189 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Class Data Accessibility (CCDA) |
CODE |
The ratio of the number of non-private classified class attributes to the number of classified attributes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 190 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Instance Data Accessibility (CIDA) |
CODE |
The ratio of the number of non-private classified instance attributes to the number of classified attributes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 191 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Method Extensibility (CME) |
CODE |
The ratio of the number of the non-finalised classified methods in program to the total number of classified methods in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 192 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Methods Weight (CMW) |
CODE |
The ratio of the number of classified methods to the total number of methods in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 193 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Mutator Attribute Interactions (CMAI) |
CODE |
The ratio of the sum of all interactions between mutators and classified attributes to the possible maximum number of interactions between mutators and classified attributes in the program. |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 194 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Operation Accessibility (COA) |
CODE |
The ratio of the number of non-private classified methods to the number of classified methods in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 195 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classified Writing Methods Proportion (CWMP) |
CODE |
The ratio of the number of methods which write classified attributes to the total number of classified methods in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 196 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Composite-Part Critical Classes (CPCC) |
CODE |
The ratio of the number of critical composed-part classes to the total number of critical classes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 0 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Classes Design Proportion (CDP) |
CODE |
Ratio of the number of critical classes to the total number of classes, from the group of Design Size Metrics. |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 201 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Class Extensibility (CCE) |
CODE |
The ratio of the number of the non-finalised critical classes in program to the total number of critical classes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 202 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Design Proportion (CDP) |
CODE |
The ratio of the number of critical classes to the total number of classes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 203 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Element Ratio |
CODE |
A process may not require all aspects of an object to be instantiated. Critical Elements Ratio = (Critical Data Elements in an Object) / (Total number of elements in the object) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 204 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Serialized Classes Proportion (CSCP) |
CODE |
The ratio of the number of critical serialized classes to the total number of critical classes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 205 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Superclasses Inheritance (CSI) |
CODE |
The ratio of the sum of classes which may inherit from each critical superclass to the number of possible inheritances from all critical classes in the program’s inheritance hierarchy |
- |
SOFTWARE |
- |
- |
|
¿? |
|
|
|
|
|
|
| 206 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Critical Superclasses Proportion (CSP) |
CODE |
The ratio of the number of critical superclasses to the total number of critical classes in the program’s inheritance hierarchy |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 212 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Isolation (PI) |
CODE |
This assesses the level of security isolation between system components. This means getting privileges to a component does not imply accessibility of other co-located components. This metric can be assessed using system architecture and deployment models. Components marked as confidential should not be hosted with nonconfidential (public) components. Methods that are not marked as confidential should not have access to confidential attributes or methods |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
I am not sure if this metric can be applied to embedded software |
|
|
|
| 214 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Number of Catch Blocks Per Class (NCBC) |
CODE |
It measures the exception handing factor (EHF) in some way. It is defined as the percentage of catch blocks in a class over the theoretical maximum number of catch blocks in the class |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 215 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Percentage High-, medium- and moderate-Risk Software Hazards with Safety Requirements |
|
It reveals whether all high-, medium- and moderate-risk software hazards have resulted in applicable safety requirements through hazard analysis |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
This is related to software and the design |
|
|
|
| 218 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Percentage of Software Safety Requirements (PSSR) |
|
How sufficient hazard analysis has been performed. (# Software Safety Requirements / # SoftwareRequirements) * 100 |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
This is related to software and the design |
|
|
|
| 219 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Percentage of Software Safety Requirements Traceable to Hazards |
|
Ensuring traceability to system hazards or System of Systems hazards increases the validation case. Percentage indicator of traceability of requirements. All derived software safety requirements must be traceable to system hazards or System of Systems hazards (# Traceable Software Safety Requirements / # Software Safety Requirements) * 100 |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
This is related to software and the design |
|
|
|
| 246 |
11 |
X |
YES |
Coverage |
- |
- |
- |
- |
PercentValidatedInput |
INPUTS |
To compute this metric, let T equal the count of the amount of input forms or interfaces the application exposes (the number of HTML form POSTs, GETs, and so on) and let V equal the number of these interfaces that use input validation mechanisms. The ratio V/T makes a strong statement about the Web application’s vulnerability to exploits from invalid input |
- |
SOFTWARE |
- |
- |
|
YES |
|
|
This could be adapted to other pieces of code, rather than just HTML |
|
|
|
| 247 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Design Decisions (RDD) |
|
Ratio of the number of design decisions related to security to the total number of design decisions of the entire system. The objective is to assess the portion of design dedicated to security |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is related to design phase |
|
|
|
| 248 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Design Flaws Related to Security (RDF) |
|
Ratio of design flaws related to security to the total number of design flaws applicable to the whole system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is related to design phase |
|
|
|
| 250 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Implementation Errors That Have an Impact on Security (RSERR) |
|
Ratio of the number of errors related to security to the total number of errors in the implementation of the system (i.e. NERR) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is related to design phase |
|
|
|
| 253 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Patches Issued to Address Security Vulnerabilities (RP) |
|
Ratio of the number of patches that are issued to address security vulnerabilities to the total number of patches of the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 254 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Security Requirements (RSR) |
|
Ratio of the number of requirements that have direct impact on security to the total number of requirements of the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 255 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Security Test Cases (RTC) |
|
Number of test cases designed to detect security issues to the total number of test cases of the entire system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 256 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Security Test Cases that Fail (RTCP) |
|
Number of test cases that detect implementation errors (i.e. the ones that fail) to the total number of test cases, designed specifically to target security issues |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 258 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of Software Changes Due to Security Considerations (RSC) |
|
Number of changes in the system triggered by a new set of security requirements. Software changes due to security considerations include patches that are released after a system is delivered, or any other security updates |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 261 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of the Number of Omitted Exceptions (ROEX) |
|
Ratio of the number of omitted exceptions (i.e. Noex) to the total number of exceptions that are related to security |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 262 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Ratio of the Number of Omitted Security Requirements (ROSR) |
|
Ratio of the number of security requirements that have not been considered during the analysis phase (i.e. NOSR) to the total number of security requirements identified during the analysis phase (NSR) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 269 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Software Hazard Analysis Depth |
|
Hazardous software, or safety-critical software, allocated as high- or medium-risk, according to the Software Hazard Criticality Matrix, requires analysis of second- and third-order causal factors (should they exist) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
Hazard is similar to risk. |
|
|
|
| 273 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Unaccessed Assigned Classified Attribute (UACA) |
|
The ratio of the number of classified attributes that are assigned but never used to the total number of classified attributes in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 274 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Uncalled Classified Accessor Method (UCAM) |
|
The ratio of the number of classified methods that access a classified attribute but are never called by other methods to the total number of classified methods in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 275 |
11 |
|
YES |
Coverage |
- |
- |
- |
- |
Unused Critical Accessor Class (UCAC) |
|
The ratio of the number of classes which contain classified methods that access classified attributes but are never used by other classes to the total number of critical classes in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 284 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Classified Attributes Inheritance (CAI) |
CODE |
The ratio of the number of classified attributes which can be inherited in a hierarchy to the total number of classified attributes in the program’s inheritance hierarchy |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 285 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Classified Methods Inheritance (CMI) |
CODE |
The ratio of the number of classified methods which can be inherited in a hierarchy to the total number of classified methods in the program’s inheritance hierarchy |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 286 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Coupling |
COUPLING |
Measures the following three coupling dimensions between modules: referential dependency, structural dependency, and data integrity dependency |
- |
SOFTWARE |
|
|
|
|
|
|
|
|
|
|
| 288 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Coupling Between Object classes (CBOC) |
COUPLING |
Number of other classes coupled to a class C |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 290 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Coupling Corruption Propagation |
COUPLING |
Coupling corruption propagation is meant to measure the total number of methods that could be affected by erroneous originating method. Coupling Corruption Propagation = Number of child methods invoked with the parameter(s) based on the parameter(s) of the original invocation |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 291 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Critical Classes Coupling (CCC) |
CODE |
The ratio of the number of all classes’ links with classified attributes to the total number of possible links with classified attributes in the program |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Object-oriented programs. If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 292 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Depth of Inheritance Tree (DIT) |
|
Maximum depth of the class in the inheritance tree |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 301 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Lack of cohesion of methods (LCOM) |
|
The LCOM value for a class C is defined as LCOM(C) = (1- \E(C)\ ÷ (\V(C)\ × \M(C)\)) × 100%, where V(C) is the set of instance variables, M(C) is the set of instance methods, and E(C) is the set of pairs (v,m) for each instance variable v in V(C) that is used by method m in M(C) |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 304 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
NumCalls |
|
The number of calls to the functions defined in an entity |
- |
SOFTWARE |
|
|
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 312 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Reflection Package Boolean (RPB) |
CODE |
A boolean value representing whether the Java program imports the reflection package (1) or not (0) |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 0 |
|
|
YES |
Dependency |
- |
- |
- |
- |
Vulnerability Propagation (VP) |
CODE |
Vulnerability Propagation (VP) of a class C, denoted by VP(C), is the set containing classes in the hierarchy which directly or indirectly inherit class C. Cardinality of set VP(C) represents the number of classes which have become vulnerable due to class C. Alternatively, Vulnerability Propagation of a class C is the total number of classes which directly or indirectly inherit class C. |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
This metric can be applied to embedded software |
|
|
|
| 315 |
11 |
|
YES |
Dependency |
- |
- |
- |
- |
Vulnerability Propagation Factor (VPF) |
CODE |
An Inheritance hierarchy may contain no class or one or more vulnerable classes. Also, there are more than one Inheritance hierarchies present in a design. So, calculation of Vulnerability Propagation Factor (VPF) of a design requires calculation of Vulnerability Propagation due to each vulnerable class in Inheritance hierarchies present in the design. Then, union of Vulnerability Propagation due to each vulnerable class will give overall Vulnerability Propagation in design. |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
This metric can be applied to embedded software |
|
|
|
| 316 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Access Complexity (AC) |
ACCESS |
This metric measures the complexity of attacks exploiting the vulnerability. A vulnerability with low complexity can be for example a buffer overflow in a web server, the vulnerability can be exploited at will |
- |
|
|
|
|
|
|
|
|
|
|
|
| 317 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Access Vector (AV) |
ACCESS |
This metric indicates from where an attacker can exploit the vulnerability |
- |
|
|
|
|
|
|
|
|
|
|
|
| 320 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Authentication (AU) |
AUTHENTICATION |
This metric counts how often an attacker must authenticate before the vulnerability can be exploited |
- |
|
|
|
|
|
|
|
|
|
|
|
| 322 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Damage potential-effort ratio |
|
It indicates the level of damage an attacker can potentially cause to the system and the effort required for the attacker to cause such damage |
- |
DEVICE |
SEMI-AUTOMATIC* |
DYNAMIC* |
|
YES |
|
|
It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase |
|
|
|
| 324 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
ExclusiveExeTime |
|
Execution time for the set of functions, S, defined in an entity excluding the execution time spent by the functions called by the functions in S |
- |
|
|
|
|
|
|
|
|
|
|
|
| 327 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
InclusiveExeTime |
|
Execution time for the set of functions, S, defined in an entity including all the execution time spent by the functions called directly or indirectly by the functions in S |
- |
|
|
|
|
|
|
|
|
|
|
|
| 332 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Protection Rate (PR) |
|
It expresses the efficiency of security mechanisms. Percentage of the known vulnerabilities protected by a given security mechanism. It is based on the Attack Surface metric. PR = (1 - AttackSurfaceEvaluatedSystem / AttackSurfaceReferenceSystem) * 100 |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
DYNAMIC* |
|
¿? |
|
|
This metric was developed specificaly for OSGi platform, but I think it can be adapted to be applied to embedded systems |
|
|
|
| 334 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Side-channel Vulnerability Factor (SVF) |
|
SVF quantifies patterns in attackers’ observations and measures their correlation to the victim’s actual execution patterns and in doing so captures systems’ vulnerability to side-channel attacks. we can measure information leakage by computing the correlation between ground-truth patterns and attacker observed patterns. We call this correlation Side-channel Vulnerability Factor (SVF). SVF measures the signal-to-noise ratio in an attacker’s observations. While any amount of leakage could compromise a system, a low signal-to-noise ratio means that the attacker must either make do with inaccurate results (and thus make many observations to create an accurate result) or become much more intelligent about recovering the original signal. We use phase detection techniques to find patterns in both sets of data then compute the correlation between actual patterns in the victim and observed patterns. |
- |
HARDWARE |
SEMI-AUTOMATIC* |
DYNAMIC* |
|
YES |
|
|
Embedded devices can be vulnerable to side-channel attacks and they can be tested |
|
|
|
| 336 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Structural severity |
RISK |
Measure that uses software attributes to evaluate the risk of an attacker reaching a vulnerability location from attack surface entry points. It is measured based on three values: high (reachable from an entry point), medium (reachable from an entry point with no dangerous system calls), low (not reachable from any entry points) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
DYNAMIC* |
|
¿? |
|
|
I am not sure if this metric can be applied to embedded software |
|
|
|
| 0 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Vulnerability Index (VI) |
|
Probability of a component’s vulnerability being exposed in a single execution |
- |
DEVICE |
MANUAL* |
DYNAMIC* |
|
¿? |
|
|
It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase |
|
|
|
| 0 |
11 |
|
YES |
Effort |
- |
- |
- |
- |
Effective Vulnerability Index (EVI) |
|
Relative measure of the impact of a component on the system’s insecurity |
- |
DEVICE |
SEMI-AUTOMATIC* |
DYNAMIC* |
|
¿? |
|
|
It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase |
|
|
|
| 361 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Classified Attributes Total (CAT) |
|
The total number of classified attributes in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 362 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Classified Methods Total (CMT) |
|
The total number of classified methods in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 366 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Count of Base Classes (CBC) |
|
Number of base classes |
- |
SOFTWARE |
- |
- |
|
- |
|
|
|
|
|
|
| 367 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Critical Classes Total (CCT) |
|
The total number of critical classes in the program |
- |
SOFTWARE |
- |
- |
|
- |
|
|
Object-oriented programs |
|
|
|
| 378 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of Design Decisions Related to Security (NDD) |
|
The proposed metric aims at assessing the number of design decisions that address the security requirements of the system. During the design phase, it is common to end up with multiple solutions to the same problem. Software engineers make many design decisions in order to choose among alternative design solutions. |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 383 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of global variables * |
|
|
|
SOFTWARE |
|
|
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 390 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of return points in the method |
|
|
|
SOFTWARE |
|
|
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 391 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of Security Algorithms (NSA) |
|
Number of security algorithms that are supported by the application |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied, but this metric can be used in finals stages of the development life-cycle |
|
|
|
| 393 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of Security Requirements (NSR) * |
|
Number of security requirements identified during the analysis phase of the application |
- |
SOFTWARE |
MANUAL |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 394 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Number of sub classes |
|
|
|
SOFTWARE |
|
|
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 395 |
11 |
|
YES |
Size |
- |
- |
- |
- |
NumFunctions |
|
|
|
SOFTWARE |
|
|
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 400 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Response set for a Class (RFC) |
|
Set of methods that can potentially be executed in response to a message received by an object of that class. RFC is simply the number of methods in the set, including inherited methods |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 402 |
11 |
|
YES |
Size |
- |
- |
- |
- |
Stall Ratio |
CODE |
Stall ratio is a measure of how much a program’s progress is impeded by frivolous activities. stall ratio = (lines of non-progressive statements in a loop) / (total lines in the loop) |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 409 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Comment ratio |
|
Ratio of number of comment lines to number of code lines |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
YES |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 410 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
CommentDensity |
|
The ratio of lines of comments to lines of code |
- |
|
|
|
|
|
|
|
|
|
|
|
| 411 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Compartmentalization |
CODE |
Compartmentalization means that systems and their components run in different compartments, isolated from each other. Thus a compromise of any of them does not impact the others. This metric can be measured as the number of independent components that do not trust each other (performs authentication and authorization for requests/calls coming from other system components) that the system is based on to deliver its function. The higher the compartmentalization value, the more secure the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 415 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Defense-In-Depth |
CODE |
This metric verifies that security controls are used at different points in the system chain including network security, host security, and application security. Components that have critical data should employ security controls in the network, host, and component layers. To assess this metric we need to capture system architecture and deployment models as well as the security architecture model. Then we can calculate the ratio of components with critical data that apply the layered security principle compared to number of critical components |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
I am not sure if this metric can be applied to embedded software, or at verification phases |
|
|
|
| 417 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Fail Securely |
CODE |
The system does not disclose any data that should not be disclosed ordinarily at system failure. This includes system data as well as data about the system in case of exceptions. This metric can be evaluated from the security control responses – i.e. how the control behaves in case it failed to operate. From the system architecture perspective, we can assess it as the number of critical attributes and methods that can be accessed in a given component. The smaller the metric value, the likely more secure the system in case of failure |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
This could be used in evaluation |
|
|
|
| 421 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Isolation (PI) |
CODE |
This assesses the level of security isolation between system components. This means getting privileges to a component does not imply accessibility of other co-located components. This metric can be assessed using system architecture and deployment models. Components marked as confidential should not be hosted with nonconfidential (public) components. Methods that are not marked as confidential should not have access to confidential attributes or methods |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
I am not sure if this metric can be applied to embedded software |
|
|
|
| 423 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Least Privilege |
CODE |
This metric states that each component and user should be granted the minimal privileges required to complete their tasks. This metric can be assessed from two perspectives: from the security controls perspective we can review users’ granted privileges. From the architectural analysis perspective this can be assessed as how the system is broken down to minimal possible actions i.e. the number of components that can access critical data. The smaller the value, the more secure the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the software is available, it can be applied. It can be also applied to embedded software |
|
|
|
| 431 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Trustworthiness |
|
Trustworthiness of software means its worthy of being trusted to fulfill requirements which may be needed for a particular software component, application, system, or network. It involves attributes of stability, data security, quality, privacy, safety and so on. Software trustworthiness is interrelated with not only risk control in the software process, but also the quality management of the software development process. Furthermore, vision is needed to avoid excessive costs and schedule delays in development and risks management costs in operation; to improve development efforts; and above all |
- |
SOFTWARE |
- |
- |
|
- |
|
|
- |
|
|
|
| 433 |
11 |
|
YES |
Strength |
- |
- |
- |
- |
Variable Security Vulnerability |
CODE |
The security vulnerability of a variable v@l is determined by the combined security damage it might cause to the overall system security when v@l is attacked. The more security properties that can be left intact, the less vulnerable the variable is; on the other hand, the more security properties are violated, the more criticall the variable is. |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is only applicable if the source code is available |
|
|
|
| 449 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Faults found during manual inspection |
|
|
|
SOFTWARE |
|
|
|
YES |
|
|
It is related to software and it can be applied to embedded software |
|
|
|
| 458 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Design Flaws Related to Security (NSDF) |
|
Security-related design flaws occur when software is planned and specified without proper consideration of security requirements and principles. For instance, clear-text passwords are considered as design flaws. Design flaws can be detected using design inspection techniques (e.g., design reviews). Identifying the number of design flaws related to security can help detect security issues earlier in the design process |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 459 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Exceptions That Have Been Implemented to Handle Execution Failures Related to Security (NEX) |
|
Number of exceptions that have been included in the code to handle possible failures of the system due to an error in a code segment that has an impact on security |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 462 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Implementation Errors Found in the System (NERR) |
|
Number of implementation errors of the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Related to the implementation phase |
|
|
|
| 463 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Implementation Errors Related to Security (NSERR) |
|
Number of implementation errors of the system that have a direct impact on security. One of the most common security related implementation errors is the buffer overflow |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Related to the implementation phase |
|
|
|
| 464 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Omitted Exceptions for Handling Execution Failures Related to Security (NOEX) |
|
Number of missing exceptions that have been omitted by software engineers when implementing the system. These exceptions can easily be determined through testing techniques. |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
Related to the implementation phase |
|
|
|
| 465 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of Omitted Security Requirements (NOSR) |
|
Number of requirements that should have been considered when building the application |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
¿? |
|
|
If the design is available, it can be applied |
|
|
|
| 471 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Number of violations of the LP principle |
|
Number of violations of the Least Privilege principle. A component does not adhere to LP if it, based upon the permissions attributed as described before, is capable of executing tasks it is not responsible for |
- |
SOFTWARE |
AUTOCATIC* |
STATIC* |
|
YES |
|
|
This could be used in embedded systems |
|
|
|
| 473 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Percentage Software Hazards (PSH) |
|
Comparing the number of software hazards identified against historical data, it indicates the sufficiency of the software hazard identification based on the identified hazards. (# software hazards / # System hazards ) * 100 |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
SÍ |
|
|
Hazard is similar to risk. |
|
|
|
| 480 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Static analysis alert count (number of) |
|
|
|
SOFTWARE |
|
|
|
|
|
|
|
|
|
|
| 488 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Vulnerability Density |
CODE |
Number of vulnerabilities in the unit size of a code. VD = size of the software / # vulnerabilities in the system |
- |
SOFTWARE |
SEMI-AUTOMATIC* |
STATIC* |
|
YES |
|
|
It seems that it can be applied to embeded systems, but I am not sure if it is applicable in the evaluation phase |
|
|
|
| 494 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security metrics of Arithmetic Expression |
|
The security flaws of arithmetic expression include divide by zero, overflow of arithmetic operation, misused data type of arithmetic expression, and truncation error of arithmetic operation |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 495 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Array Index |
|
The security flaws of array index include index out of range, incorrect index variable and uncontrollable array index |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 496 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Component Interfaces |
|
The security flaws of component interface include inconsistent parameter numbers, inconsistent data types, and inconsistent size of data types |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 497 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Control Operation |
|
The security flaws of control operations include infinite loop, deadlock situations and boundary defects |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 498 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of I/O Management |
|
File is an important media which can store critical information and record log data. However, file privilege definition, file access management, file contents, file organization and file size are major factors to affect the security software operation |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 499 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Input Format |
|
The security flaws of data format include mismatched data contents, mismatched data type, mismatch data volume |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Part of a checklist |
|
|
|
| 500 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Kernel Operation |
|
A released software system must be adapted to a suitable operating system and environment. The kernel of operating system and environment become a critical factor to affect the operating security of software system. Resource management, execution file protection, main memory control and process scheduling are major tasks of operating system. The security flaws, which embedded in the tasks of operating system, become high security risk for software system operation |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified. Checklist. Only when there is an OS |
|
|
|
| 501 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Network Environment |
|
Network environment is a critical tool in the e-commerce years. However, data transmission management, remote access control, and transmission contents always become the security holes of software system operation |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified |
|
|
|
| 502 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of Resources Allocation |
|
The security flaws of resource allocation include exhausted memory, unreleased memory exhausted resources, and unreleased resources |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified |
|
|
|
| 503 |
11 |
|
YES |
Dependency* |
- |
- |
- |
- |
Security Metrics of User Authority |
|
Many users may use the released system to do specific jobs. However, user privilege definition, user password management and user detailed information maintenance are important tasks to control and manage the user authority. Without user authority control and management, the operation environment of software system will be on high security risk |
- |
SOFTWARE |
AUTOMATIC* |
STATIC* |
|
¿? |
|
|
This is not a metric, but a group of them. Individually, they could be used if they are specified |
|
|
|
| 526 |
11 |
|
YES |
Weakness |
- |
- |
- |
- |
Kolmogorov Complexity |
|
|
|
SOFTWARE |
|
|
|
|
|
|
|
|
|
|