Security is a very important software attribute. The ability to quantify software security will definitely help improve the quality and reliability of any type of software. Wang et al. attempt to provide a methodology to calculate software security metrics by quantifying the vulnerability parameters.
Common vulnerability scoring system (CVSS) metrics--such as base metrics, temporal metrics, and environmental metrics--are used to quantify the severity and risk of vulnerability, with due consideration to the time factor. Wang et al. detail a sample application, including a security metrics calculation, by comparing Web browsers such as Mozilla Firefox 2, Microsoft Internet Explorer 6, and Microsoft Internet Explorer 7. This paper is only a first attempt to explain and demonstrate the software security metrics calculation. Known vulnerabilities are the source for metrics calculation.
In the sample application, the weaknesses selected for various Web browsers are not the same; therefore, the calculated software security scores cannot be used for comparison purposes. The source of data used for Microsoft Internet Explorer 6 and 7 is unknown.