Integrated Measurement and Analysis Framework for Software Security
In today's business and operational environments, multiple organizations routinely work collaboratively to acquire, develop, deploy, and maintain technical capabilities via a set of interdependent, networked systems. Measurement in these distributed management environments can be an extremely challenging problem. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute (SEI), is developing the Integrated Measurement and Analysis Framework (IMAF) to enable effective measurement in distributed environments, including acquisition programs, supply chains, and systems of systems. The IMAF defines an approach that integrates subjective and objective data from multiple sources (Targeted analysis, reports, and tactical measurement) and provides decision makers with a consolidated view of current conditions. This paper is the first in a series that addresses how to measure software security in complex environments.