Background:
With the advancement in the field of software development, software poses threats and risks to
customers’ data and privacy. Most of these threats are persistent because security is mostly considered as a feature or a
non-functional requirement, not taken into account during the software development life cycle (SDLC).
Introduction: In order to evaluate the security performance of a software system, it is necessary to integrate the security
metrics during the SDLC. The appropriate security metrics adopted for each phase of SDLC aids in defining the security
goals and objectives of the software as well as quantify the security in the software.
Methods:
This paper presents systematic review and catalog of security metrics that can be adopted during the
distinguishable phases of SDLC, security metrics for vulnerability and risk assessment reported in the literature for secure
development of software. The practices of these metrics enable software security experts to improve the security
characteristics of the software being developed. The critical analysis of security metrics of each phase and their
comparison are also discussed.
Results:
Security metrics obtained during the development processes help to improve the confidentiality, integrity, and
availability of software. Hence, it is imperative to consider security during the development of the software, which can be
done with the use of software security metrics.
Conclusion:
This paper reviews the various security metrics that are meditated in the copious phases during the
progression of the SDLC in order to provide researchers and practitioners with substantial knowledge for adaptation and
further security assessment.
Software Security Requirement Engineering for Risk and Compliance Management