JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.

ORG

143

A Novel Approach for Measuring Security in Software Systems - CIAAAN

Mukta Narang and Monica Mehrotra
Abstract - A novel approach for measuring security in software systems has been introduced in this study and it has been named as CIAAAN. CIAAAN has been coined because this framework measures security along its six basic pillars - Confidentiality, Integrity, Authentication, Authorization, Availability, and Non-repudiation. The framework analyzes security with highest level of precision. It decomposes security along the six dimensions till its finest details, which can be measured. Security metrics is applied to each one of them to analyze their contribution towards the overall security. Security of the software system is thus measured as a combined affect of security at the minutest level. Web based applications have been primarily focused for this study, though the framework can be applied to any kind of software system. The software systems can use this framework to measure the security factor, which indeed gives a confidence level to the users of that system. Index Terms Security Metrics, Security Measurement Framework, web based applications.

1 INTRODUCTION
The increasing dependency on software intensive systems is making way for systems which are more reliable and secure. Security is becoming one of the prime objectives of all software systems. Though all the software systems are incorporating security, but still there is no scale available to measure extends of security that any system is offering. The need of the hour is to have some systematic approach to measure security which can give that confidence level to the users of these systems. The CIAAAN framework is an attempt in the same direction. The name CIAAAN(pronounced as c-an) itself stands on the six basic pillars of security- Confidentiality, Integrity, Authentication, Authorization, Availability, Non - repudiation. Till date the CIA Triad [7] is a venerable, well known model for security policy development, used to identify problem areas and necessary solutions for security, mainly information security. The CIA stands for Confidentiality, Integrity and Availability. Confidentiality refers to the importance of protecting your most sensitive information from unauthorized access. Integrity is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make change that shouldnt have been made, the damage can be undone. Availability of data refers to systems, access channels and authentication mechanisms all working properly to make available the information

when needed. CIA triad has been an established model which can be extended to software systems. Though it is used worldwide but it has some limitations. Like in all the three aspects mentioned above they are dealing with authorization. If authorization is such a crucial aspect that all others are incomplete without incorporating it, then it is unfair to talk of security without authentication. With authentication comes in the need of authorization. If authentication is verifying the users credentials then, one needs an authorization mechanism which is responsible for managing rights and access control based on the authorization policy. Non repudiation is another aspect which is becoming very important in todays scenario. This deals with the assurance that the sender of information is provided with proof of delivery and the recipient is provided with the senders identity, so that neither can later deny having processed the information. Though security can be classified under a wider set of various dimensions, but these six are the major contributors of security which cover security in almost all dimensions. The CIAAAN framework follows a decomposition approach. It decomposes security along the six dimensions of security into the major parameters with respect to each of the dimension. These parameters are the logical division of the dimensions along the 3 major aspects of security of any software system- physical, system, and policy. Each parameter is further expressed as a set of activities, which make the security of the software system full proof. Depending upon the activities that are being taken care of in each set CIAAAN analyzes the strength factor. This is like dividing a piece of diamond into minutest particles and analyzing each of them to see the overall shinning factor. The framework on

Mukta Narang is research scholar with Department of Computer Science, Jamia Milia Islamia, Delhi, India Monica Mehrotra is with Department of Computer Science, Jamia Milia Islamia, Delhi, India.

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

144

the similar lines analyzes the security of the software system by first dividing it into minutest component and then analyzing each one of them to find the overall security. CIAAAN framework can be applied to any software system, but for this study we have restricted our domain to web based application softwares, which are basically software packages that can be accessed through the web browser. The software and database in these systems reside on a central server rather than being installed on the desktop system and is accessed over a network.

shown in fig 1. The root of this tree is software security. Security can be further classified along the six basic dimensions of confidentiality, integrity, authentication, authorization, availability and non repudiation. Thus as defined in section I these six dimensions make the next level of security.

2 RELATED WORK
Our earlier work includes the identification of a generic security metrics for all software systems [20]. The work presented in this study is an application of this metrics to web based application softwares, emphasizing on the methodology of measuring security using CIAAAN framework. Savola [18] proposed a classification of security enforcing mechanism. This provided an initial basis for measuring security of software along the six dimensions. This study has further classified these dimensions till the measurable components for security have been identified. The U.S. National Institute of Information Standards and Technology (NIST) has recommended Security Controls for Federal Information Systems and organizations in NIST Special Publication 80053 [1]. It has also recommended Security Configuration Checklists program for IT products in NIST Special Publication SP_800_70 [3]. SANS is another organization which has given various policies for some specific aspects of security [11, 12, 13, 14]. ISO Code of Practice for information Security Management (ISO 17799, 27002) [10] recommends some best practices for information security. The co-author of this study Mehrotra et al. [8] in her earlier work has presented a technical report to DIT, ministry of communication & IT, where they have laid down various security policies. In our CIAAAN model we are decomposing security to its minutest measurable components, which is a set of activities contributing to the overall security. CIAAAN has taken care that these components can be identified and further grouped appropriately.

Figure 1 : Software Security tree structure

3 KEY CONSIDERATIONS
For the study conducted, there were a few key considerations. These are as follows: The study is been conducted on web based application softwares of similar nature All the values provided during the survey by the correspondents are assumed to be well analyzed values. The security of the software system has to be first modeled in a pre-defined hierarchical tree structure as

At level 2 we classify security further along all six dimensions. This classification is based on identifying parameters, which contribute to confidentiality, integrity, authentication, authorization, availability and non repudiation individually. These parameters are identified based on three aspects of security. System - This includes all the components that make the software system. This category covers the major portion of security parameters as it analyzes all the integrities within the system. This mainly includes the data, communication, auditing, restoration, implementation, user account management and many more. Physical - This includes all the physical access points where the software system is deployed. This aspect plays a very important role in security of software systems. One may secure the software system but what if the place where all the servers are installed is not physically secured. Policy - Every organization these days is applying some security policy at corporate governance level. The overall objective is to control or guide the human behavior in an attempt to reduce the risk to assets by accidental or deliberate actions. This category defines the parameters in terms of formal agreements, standard procedures and different controls with which the software security should abide.

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

145

4 PROPOSED SECURITY MEASUREMENT FRAMEWORK - CIAAAN

CIAAAN framework has four main steps which are detailed in the respective sub headings. We have explained and exemplified the steps with respect to the web application softwares.

4.1 Security modeling of the software system

The key consideration for applying CIAAAN framework is that the security of the software system is represented in form of a level 2 hierarchical tree. After an in-depth study of the web based application systems and their security needs,

security threats, security controls and various security related standards a generalized security tree representation for software systems could be derived. The basic task here is to identify different parameters which contribute to confidentiality, integrity, authentication, authorization, availability and non repudiation individually. The parameters are classified keeping in mind the logical aspects of security. This representation is shown in fig 2 (in the fig 2, the values in the subscript are the weights, which is explained in section 4.2)

Figure 2 : Security Modelling of software systems

The logical grouping of parameters under System aspect of security consists of: Data - security with respect to the data transmitted, transformed or stored within the software system. This consists of data in form of messages, information, encryption keys, backup. Logic Implementation - to make security an inbuilt feature of the software this parameter plays a very important role. This is a measuring stick to see if security was taken care of when logic was taking the final shape of the software. Remote Access - an authorized access to the software system should be possible from any remote location (such as from a different network, anywhere over internet, or from mobile) in a secure manner. Audit - the software system has to be continuously monitored and guarded against any unauthorized access with the intention of modifying or destroying the data/ services of the system.

Configuration - the software system has to be supported with some other components during the deployment to make its security full proof. Session - As defined by Wikipedia, a session refers to a semi permanent interactive information interchange, between two or more communicating devices, or between a computer and user. These sessions are carrying all the confidential data so it is very important to secure these sessions. User account management - a central control is required to secure the software system from any unauthorized access. Restoration - a system disturbance may occur at any time under normal or emergency conditions. It is expected that the system is secure enough to return to its pre disturbed condition as efficiently as possible without any damage. Identity management - Deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals. The logical grouping of parameters under Physical aspect of security consists of:

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

146

Access - a system may have been secured, but what if somebody damages the system or its components physically. Example some unauthorized person entering the server room and destroying the server machines. Hence it becomes important to prevent any unauthorized physical access to the software system. The logical grouping of parameters under Policy aspect of security consists of: Formal agreement - for security reasons every organization gets some legal documents signed by their employees/third parties which gives them the conformity that they will abide by the laid down security regulations. Controls - the policies can purposefully direct the behavior of the software system to manage security. Standard procedures - the software system enforces certain standard guidelines which, when followed will take care of security of the software system. User education - to make security of any software system full proof, it is very important to educate the users of this system about security. Example; besides a good antivirus the system still gets a virus attack. This could be because the user was not aware that opening attachments from an unknown source could compromise the security of its system.

may have a different significance level. Example we may keep adequate checks for the physical access to the system but what is more important is that the software system is secure enough to be operational even if its main server has been destroyed. Thus the system logic implementation is much more significant as compared to the physical access. Based on their significance, each node in the security tree has to be assigned a relative weight. In our study we have used static weights, that is, the weights are fixed for a particular domain (in this case the domain is similar kind of web based application softwares). The assignment of weights was done using a survey method. A questionnaire was designed and distributed to 25 different people working on web based application softwares. The correspondents had to be Project Manager, Quality Auditor or security analyst who understands various aspects of security of any software. The data from these questionnaires was analyzed using a weighted average method and the resultant values are shown as subscripts of the each node in fig 2.

4.3 Calculate strength factor

Strength factor represents how strongly security has been implemented in your actual system. Each parameter at level 2 of the hierarchical tree is assessed using a checklist approach. There is a set of measurable components attached to every parameter. This set consists of security checklist of activities specific to each parameter under each dimension. These checklists are exhaustive lists of activities; few samples of these lists are shown in table (1- 6)

4.2 Assign relative weights

Though each node identified in the security model, contributes to the overall security of the software system but they

Table 1.

CONFIDENTIALITY ACTIVITY CHECKLIST

Parameters System Data

System Communication System Logic Implemen-

Confidentiality Activities Does the system use powerful algorithm for Encryption[9] Are the passwords used in the system, encrypted during storage and transmission[1][9] Does the system maintain confidentiality while preparing the information for transmission(during the process of aggregation, packaging & transformation)[1] Is there any access control for encryption key[8] Is the metadata/files maintaining passwords encrypted[8] Is the backup data stored and accessed by authorized users in a predefined manner If the information has to be stored on some external media( like (like USB drive, CDs, portable hard disk) then is it done in an encrypted manner Does the system ensures that master keys stored in a tamper proof module[8] Is the confidential/restricted information which is transmitted over any shared common network, sent in an encrypted form[8] Are master keys not transmitted over the n/w[8] Does the system take care that the identity of the sender/receiver is not revealed to any unauthorized person at any point of time.

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

147

tation

System Audit System Remote Access

Physical Access Policy Formal Agreements Policy Controls

Are only authorized personnel accessing the encryption software[9][8] Are separate encryption keys created in mail server, for users who frequently communicate and transfer confidential information with external entities for business purposes via e-mail [8] The system implements required cryptographic protections using cryptographic modules that comply with applicable requirements such as compliant to legal requirements, executive orders, directives, policies, regulations, standards and guidance[1] Rephrase , System Logic Implementation --------Are functions available with the encryption system to enable decryption and recovery of data in the event of inability to decrypt due to system errors, human errors, or any other problems[8] Does the system use secure session protocols like https wherever applicable The organization establishes & manages cryptographic keys within the s/w system[1] Obtain public key certificates under an appropriate certificate policy from an approved service provider[1] Does the system enforce that the encryption keys are changed after a defined time period[8] Is it sure that each key has a single purpose (e.g. either storage keys or transporting key) only [8] Is there any log maintained on dissemination of confidential/restricted/ internal information of the company to any other party[8] Does confidential information never go into logs[8] Remote access to system is only allowed through systems have a secure access software configured for this system Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the Companys network encryption protocols policy.[13][5] Does the system restrict physical access to places where software servers are Installed Do employees sign a declaration not to disclose any information'[8] Are the third parties made to sign confidentiality and compliance agreements[8] Do users sign confidentiality agreement at the time of joining the organization[8] Computer screens where the system is implemented should be kept clear of sensitive information when unattended[9] Is permission required/mandatory to disclose any information to any other party[8][3] Organization restricts access to organization defined types of digital and non digital media to organization defined list of authorized individuals using organization defined security measures[1]

Table 2.

INTEGRITY ACTIVITY CHECKLIST

Integrity Parameters System Data System - Logic Implementation Activities Are the restoration procedures regularly tested to validate the integrity of the backup[6] Is there an automated mechanism to enforce strict adherence to protocol format[1] Is there any content management system to check that the data is not lost or tampered[6] Is there a mechanism to check data integrity when exception occurs[8]

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

148

System Audit

System Configuration

Physical Access Policy Controls

Are the location of temporary files proper and hard to guess[16] Does the system route all networked, privileged accesses through a dedicated , managed interface[8] Does the system automatically update the protection mechanism[1] Are intrusion detection systems employed to perform real-time analysis of network traffic patterns to detect attempted attacks wherever technically feasible[8] Are publicly accessible systems (e.g. external web sites) utilizing system monitoring tools that provide real-time alerts whenever suspicious user activity is detected[8] Is there strong input and output validation for the software system[16] Does the software disable scripting languages, limit cookie access and saving of sensitive data in the cookies [16] Does the software use library calls instead of relying on external/system calls[16] Does the system use stored procedures instead of dynamic SQL[16] Does the system produce audit records on hardware enforced, write once media[1] Does the system maintain a backup of the audit record onto a system or media other than the system being audited[1] Are security log reports generated for applications that have been determined to contain confidential / essential information[8] Are auditing and logging enabled on the firewall to provide information about the activities through the firewall[8] Is there any monitoring to ensure conformity to logical access policies and procedures[8] Is the DNS properly configured to avoid information leakage[6] Are the latest security patches installed and checked within time schedule[6][5] Has the anti-virus software been configured to check all mediums for viruses[17] Is a procedure for automatically updating the anti-virus software in place[17] Are the desktops and laptops equipped with anti theft devices[17] Does the system prevent direct disk sharing with read/write access unless there is absolutely a business requirement to do so[12] Does the system enforce scanning of any external device(like a floppy diskette) from an unknown source for virus before using it[12] Are the latest security patches updates made from time to time[5] Is anti-virus software installed on all computers which are running the software system[17] If users become infected with a computer virus, do they know what to do[17] Are employees who suspect a security breach or violation communicating their concerns to their immediate supervisor[8] Are all the employees responsible for maintaining a familiarity with the IT Security Policies and Procedures, Standards and Guidelines which are responsible for reporting any suspected activities, security breaches or violations[8]

Policy Standard Procedures Policy User Education

Table 3.

AUTHENTICATION ACTIVITY CHECKLIST

Parameters System Logic Implementation

Authentication Activities Is there a unique id for each user[3][9] The system never displays any system or application identifiers until successful log-on[9]

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

149

System Session

System Configuration System Remote Access

Physical Access

Policy Controls Policy Standard dures

The system doesnt display help messages prior to successful log-on that could aid an unauthorized user[9] The validation or rejection of log-on is only on completion of all input data (e.g., both user-ID and password)[9] Are there some enforced password strength parameters(like at least 8 characters, some combination of alphanumeric values)[3] Is there any procedure for expiry of passwords after fixed days[3] Is there any procedure to reset password by security administrator on request of user, only after verifying their id[9] Is there enforced changing of default passwords[9] Does the system prohibit the use of default passwords, where applicable[9] Is there centralized management of system with highly restricted local use access[2] Does the system use an authentication database source which is a Active Directory or LDAP, and the authentication protocol which involves a challengeresponse protocol that is not susceptible to replay attacks.[13] Is there any procedure for users to authenticate themselves to the operating systems for accessing the network resources like file server, print server, proxy server etc[8] Does the system ensure secure methods for creating and distributing tokens [9] Does the system authenticate the user at front end, middle tier and back end[8] Is there a facility for automatic session cleanup following the disconnection of sessions [6] Does the system generate a unique session id randomly for each session Does the system recognize only session id that are system generated[6] Does the system enforce logging out by the user or timeout automatically for secure sessions [6][9] Are updates & patches applied regularly for the application(antivirus software, web browser) & Operating System [2] Are the networks segmented internally with appropriate firewalls and in depth defense techniques in place [2] Do all remote access tools or systems that allow communication to System resources from the Internet or external partner systems, require multi-factor authentication. Examples include authentication tokens and smart cards that require an additional PIN or password.[13] Does the remote access tool mutually authenticate both ends of the session[13] Do the remote access tools support the Company application layer proxy rather than direct connections through the perimeter firewall(s)[13] The system should ensure that no antivirus, data loss prevention, or any other security system is disabled, interfered with, or circumvented in any way[13] No laptops, computer and related equipment outside the scope of the system are allowed to plug into the system network [5] Is there physical authentication(as in swipe card access locks at all entry points for all the people involved in the system) [5] Is there a strong check-in and check-out system for the people outside the scope of the system[14] Is there a policy to limit the number of unsuccessful log on access events[3][9] Is there a policy for specifically authorizing and monitoring the use of guest/anonymous and temporary accounts [1] Is there a policy for deactivating accounts when temporary accounts are no longer required Is there a policy to notify account managers when system users are terminated or transferred [1]

Proce-

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

150

Table 4.

AUTHORIZATION ACTIVITY CHECKLIST

Parameters System Logic Implementation

System User Account Management

System Audit

System Configuration

Policy Formal ments

Agree-

Authorization Activities Are systems used for the software, monitored to ensure that users are only performing processes that have been explicitly authorized[8] Is there a provision to disable unnecessary applications/Modules by the system[2] Does the system route all networked, privileged accesses through a dedicated , managed interface[8] Des the system authorize the user at front end, middle tier and back end[6] Does the system enforce the access control of all system and configurable files only to the administrator[6] All FTP, TELNET ports have a limited and authorized access Does the system notify the user about the number of unsuccessful login attempts made during a fixed time period[1] Does the system ensure that the service providers do not grant access until all authorization procedures are completed[9] Are the new users created based on a formal authorization by the respective Heads and respective security administrator[8] Finger grained allocation of user privileges[1][6] Does the system maintain a current record of all users authorized to use the system [9] Does the system enforce the assignment of unique user-id to each user[9] Does the system enforce single sign on for any user[4] Does the system limit authorization to super user accounts[6][9] Does the system notify the user about the security related changes made to the user account upon successful logon [1] Does the system authorize access to management of audit functionality to only a limited subset of privileged users[1] Does the system protect the audit information from unauthorized users[1] Does the system provide the previous logon notification[1] Are computer clocks checked for correct timings[8] Does the system have an efficient intrusion detection system and an incident response procedures such that no unauthorized activities goes undetected[6] Is there any periodic review of the internet connection audit reports created on the firewall[32] Is penetration testing done on regular basis to check the functionality of the firewall/intrusion detection systems[5] Are the Database server and application server put under diff segments & have proper access control restrictions[5] Are the Database server ports disallowed access from IP addresses other than those specified by the system Does the system use appropriate boundary filters(like firewalls)[1] Are the web and e-mail clients configured to filter& block traffic/messages that could contain malicious content[2] Only hosts to which access is allowed appear in the Internet accessible DNS tables[6] The system makes sure that no zone transfers from the Internet to internal zones for DNS is allowed[6] Are firewalls installed at all entry/exit points[6] Does each user have a written statement of their access rights and responsibilities[9] Does the system require users to sign statements indicating they understand

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

151

the conditions of access [9] Table 5. AVAILABILITY ACTIVITY CHECKLIST

Parameters System Data System Logic Implementation System Audit System Restoration

Physical Access Policy Standard dures

Availability Activities Does the system have back-up of user level and system level information[1] Is at least one copy of data stored in secure, off site location[17] Does the system have a centralized backup & recovery facility[2] Does the system maintain availability of information in the event of loss of cryptography keys by the users[1] Are functions available with the encryption system to enable decryption and recovery of data in the event of inability to decrypt due to system error, human error or any other error Does the system have a provision of filtering unnecessary request whenever a rise in request is observed [16] Does the system have an alternate processing site, separated from primary processing site[1] Does the system have the provision for protection of backup & restoration hardware, firmware and software using technical measures[1] Does the system fail securely in the event of an operational failure of a boundary protection device(like firewall, router, guard, application gateway)[1] Does the system have a provision for protection of backup & restoration hardware, firmware and software using physical measures[1] Does the system have a written continuity plan in case of major disaster[17]

Proce-

Table 6.

NON REPUDIATION ACTIVITY CHECKLIST

Parameters System Logic Implementation

System Identity Management System Audit

Non repudiation Activities Is digital signature capable of identifying the user according to the level of assurance accorded to the digital signature[8] Are all the facts required to be represented for obtaining a digital certificate from the enterprise certificate authority correctly represented to the issuing certifying authority[8] Is there uniqueness in digital signature with respect to the party affixing digital signature[8] Is every electronic record authenticated by a digital signature, using asymmetric crypto system and hash function[8] Is information accessible and usable for a subsequent reference for any electronic document which may be required for a later reference for the purpose of validity and non-repudiation (e.g. Electronic file, e-mails)[9] Are details able to give the identification (of origin, destination, etc.), date, time and receipt of document for any electronic document that need to be retained for a later reference for the purpose of validity and non-repudiation (e.g. Electronic file, e-mails)[8] Does the system associate the identity of the producer with the information[1] Does the system maintain the reviewer/releaser identity & credentials within the established chain of custody[1]

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

152

The activities in these lists will either be taken care of by the software system or have been totally neglected. A ratio between the number of activities that have been implemented in the software in each checklist (c) and the total number of activities in each checklist (t) gives the analyzer a fair idea about the strength of the software with respect to that particular parameter. Example if there are 8 total activities defined in the set for the parameter system implementation under authorization and the software under investigation has taken care of 6 activities, and then the strength factor for this parameter is 6/8 or 0.75. We have prepared a generalized exhaustive list for each of the parameter. Since it is a generalized list their may be some activities which are not applicable for a particular software under investigation. Thus instead of considering the total activities in the set, we consider the total relevant activities (tr) in the set, which can be calculated as (1): tr = t na (1) Where tr = total number of relevant activities in a set t = total number of activities in the set na = activities which are not applicable to the software under investigation Now the strength factor (x) can be calculated as (2): x = c / tr (2)

Expanding(6), we get S = WcXc + WiXi + WaXa + WauXau + WavXav + WnXn (7) In this metrics the relative weight refers to the weights that have been assigned to each of the nodes in fig 2 as explained in section 4.2. The contributing factor reflects the individual contribution of different activities towards a particular dimension. The contributing factor thus is the weighted sum of the strength factor of all the parameters which can be further calculated using the metrics (8) XD = wDixDi
i=1 D=c,i,a,au,av,n n

(8)

where X = contributing factor x = strength factor (c / tr) as calculated in (2) w = relative weights for each parameter as specified in fig 2 n = total number of parameters for each dimension Contributing factor for confidentiality Xc is Xc = wc1xc1 + wc2xc2 + wc3xc3 + wc4xc4 + wc5xc5 + wc6xc6 + wc7xc7 (9) + wc8xc8 Where c1,c2,c3,c4,c5,c6,c7,c8 represent the parameters system data, system communication, system logic implementation, system audit, system remote access, physical access, policy formal agreements and policy controls respectively at the confidentiality level. Based on the analysis of respective checklist of activities for each of these parameters we can calculate the ratio c / tr to get the respective strength factors xc1, xc2, xc3, xc4, xc5, xc6, xc7, xc8. Based on the survey we already have the weights w1,w2,w3,w4,w5,w6,w7,w8 for all the parameters of confidentiality. Substituting all these values in (9) we get Xc. Similarly contributing factor for integrity Xi is Xi = wi1xi1 + wi2xi2 + wi3xi3 + wi4xi4 + wi5xi5 + wi6xi6 + wi7xi7 + (10) wi8xi8 Where i1,i2,i3,i4,i5,i6,i7,i8 represents the parameters system data, system logic implementation, system audit, system configuration, physical access, policy controls, policy standard procedures and policy user education respectively at the integrity level. Substituting the values in (10) we get Xi Similarly contributing factor for authentication Xa is Xa = wa1xa1 + wa2xa2 + wa3xa3 + wa4xa4 + wa5xa5 + wa6xa6 + (11) wa7xa7 Where a1,a2,a3,a4,a5,a6,a7 represents the parameters system logic implementation, system session, system configuration, system remote access, physical access, policy controls, policy standard procedures and respectively at the authentication level. Substituting the values in (11) we get Xa Similarly contributing factor for authorization Xau is

4.4 Calculate security factor

As per CIAAAN, the security of any software system can be measured as the sum of the security contributions along confidentiality(SCc), integrity(SCi), authentication(SCa), authorization(SCau), availability(SCav) and non repudiation(SCn). S = SCD
D= c, i, a, au, av, n

(3)

where, SCD is the security contribution along any dimension expanding (3), we get S = SCc + SCi + SCa + SCau + SCav + SCn (4)

The contribution along each of the six dimensions can be calculated using the security metrics (5) (5) SCD = WD*XD where SC = security contribution W = relative weight X = contributing factor D = any of the dimension, c, i, a, au, av, n Substituting (5) in (3), we get S = WDXD
D= c, i, a, au, av, n

(6)

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

153

Xau = wau1xau1 + wau2xau2 + wau3xau3 + wau4xau4 + wau5xau5 (12) Where au1,au2,au3,au4,au5 represents the parameters system logic implementation, system user account management, system audit, system configuration, policy formal agreements respectively at the authorization level. Substituting the values in (12) we get Xau Similarly contributing factor for availability Xav is Xav = wav1xav1 + wav2xav2 + wav3xav3 + wav4xav4 + wav5xav5 + (13) wav6xav6 Where av1,av2,av3,av4,av5,av6 represents the parameters system data, system logic implementation, system audit, system restoration, physical access and policy standard procedures respectively at the availability level. Substituting the values in (13) we get Xav Similarly contributing factor for non repudiation Xn is Xn = wn1xn1 + wn2xn2 + wn3xn3 (14) Where n1,n2,n3 represents the parameters system logic implementation, system identity management and system audit respectively at the non repudiation level. Substituting the values in (14) we get Xn Finally substituting the values of Xc, Xi, Xa, Xau, Xav, Xn from (9),(10),(11),(12),(13),(14) respectively and W1, W2, W3, W4, W5, W6 from fig 2( as per the survey) into equation (7) gives the overall security factor of the software system under investigation. The value of security factor can vary between 0 and 1. The more is this value towards 1, the more secure is the software system.

[8] S.I.Ahson, M.Mehrotra, S.K.Panday, S.Rehman, Technical Report 2 on Software Security Defects A Classification Approach, Submitted to DIT, Ministry of Communications & IT, Govt. of India, May 2007 [9] Access Control (ISO 17799-27002) Privacy / Data Protection Project, University of Miami, July 2006 [10] ISO/IEC 27002:2005, information technology security techniques Code of practice for information security management ISO/IEC, 2005 [11] SANS, Infosec Acceptable Use Policy 2006 [12] SANS, Guidelines on antivirus process 2006 [13] SANS, Remote Access Tools Usage Policy May 2010 [14] SANS, Visitor and Contractor Premise Access Policy March 2010 [15] M.Durgin, Understanding the importance of and implementing internal security measures Aug 2007 [16] M.A.Hadavi, H.M.Sangchi, V.S.Hamishagi, H.Shirazi, Software Security; A vulnerability Activity third international conference on Availabilty, Reliability and Secuity by IEEE computer society 2008 [17]http://www.advisortek.com/resources/computer_security_checkli st.htm [18] R.M.Savola, A security metrics taxonomization model for software intensive systems, Journal of information processing systems, vol 5, No. 4, December 2009 [19] R.c.Schaeffer, National Information assurance glossary, Committee on national security systems- CNSS Instruction No. 4009, April 2010 [20] M.Narang, M.Mehrotra, Security Issue A Metric Perspective, International Journal of Information Technology and Knowledge Management (IJITKM),Volume 3, No. 2,pp.567-571,July-December 2010

AUTHORS PROFILE
Mukta Narang is pursuing her PhD at Jamia Millia Islamia in area of security measurement in software intensive systems. She has written papers on security measurement issues and challenges. She is also working as an Assistant Professor with Gitarattan International Business School, affiliated with Indraprastha University, Delhi. Her expert areas are Software Security and Software Engineering. She is currently teaching post graduates courses. She is a MCA with 9+ years of teaching experience and has worked on multiple telecom projects before being a full time academician. Dr. Monica Mehrotra is attached to Department of Computer Science as Assistant Professor and has been with Jamia Millia Islamia (Central University) for ten years now. She has over 13 years of teaching and research experience. Her research interests include Information Security, Information Retrieval, Data Mining, Web Ontologies and Bioinformatics. She has four research scholars under her supervision and over thirty research papers in Journals and International conferences.

5 FUTURE WORK
The proposed CIAAAN framework is still in its nascent stage. The framework needs to be tested in various practical domains, besides web based applications to know its feasibility. Since we intend to make it a generalized measurement framework for all software systems we need to add-on some more activities to the proposed checklist to make it an extensive and exhaustive checklist covering all the security related activities.

REFERENCES
[1] G.Locke, P.D.Gallagher, Recommended security controls for federal information systems and organization, NIST Special Publication 800-53,August 2009 [2] K.Scarfone, M.Souppaya, A.Cody, A.Orebaugh, Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115, September 2008. [3] M.Souppaya, J. P. Wack, K.Kent, Security Configuration Checklists Program for IT Products Guidance for Checklists Users and Developers, NIST Special Publication 800-70, May 2005 [4] Quest Sotware, Choosing the right active directory bridge solution June 2010 [5] L.Parker.L, Fundamentals of network security, Pacific coast information system, 2010 [6] U.K.Singh, S.Gupta, Striking the security issues in E-Commerce: A conceptual framework. [7] http://www.techrepublic.com/blog/security/the-cia-triad/488