De ning an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure

This paper describes a software assessment method that is being implemented to quantitatively assess in formation system security and survivability Our ap proach which we call Adaptive Vulnerability Analysis exercises software in source code form by simulat ing incoming malicious and non malicious attacks that fall under various threat classes A quantitative met ric is computed by determining whether the simulated threats undermine the security of the system as de ned by the user according to the application program This approach stands in contrast to common security assur ance methods that rely on black box techniques for test ing completely installed systems AVA does not provide an absolute metric such as mean time to failure but instead provides a relative metric allowing a user to compare the security of di erent versions of the same system or to compare non related systems with similar