The Applicability of Existing Metrics for Software Security

With the increasing inclination of people to use software systems for most of the purposes, comes a major challenge for software engineers – the engineering of secure software systems. The concept of ―Computer Security‖ is being heavily researched and this perfectly makes sense in a world where e-commerce and egovernance are becoming the norms of the day. Along with their potential for making life easier and smarter for people, these systems also carry with them the danger of insecurity. Because any software system is an outcome of some software engineering process it makes sense to incorporate security considerations during the software engineering processes. This is easier said than done because traditional software engineering approaches are requirements driven and pay very little, if any, attention to security. Tom DeMarco [1] stated, ―You can’t control what you can't measure.‖ This clearly states the importance of metrics in software engineering. Traditional software metrics do not address the issue of security well and now with security becoming an imperative necessity of most software systems, these metrics have to be adapted to take into account the security aspect. The paper discusses the applicability of some established metrics for the security aspect.