May 28, 16 6:23 pm

Was this post helpful?

Quantifying Software Security Risk

May 28, 2016
| by:
Sherif Koussa

What are the frameworks out there that organizations can use to quantify risk?

Risk management is a hot topic across many boardrooms, so much so that the insurance and financial sectors have established frameworks that organizations can use to quantify risks. Across other sectors, however, organizations remain challenged with establishing how to calculate the risks that stem out of developing or using software.

When it comes to software, security cannot trump getting the product to market. Rather, using frameworks to determine potential risks not only pose a threat to enterprise security, but also can negatively impact software operations on both the customer and vendor side. Avoiding the risk all together is the best solution, but highly unlikely. Sometimes the best you can hope for is to minimize risk by trying to quantify the potential impact and degree of risk to software projects and products.

Several folks have put forth frameworks for evaluating risks through the software lifecycle, though there are no established industry standards. Key to any risk assessment strategy, though, is first identifying the likelihood of a vulnerability being discovered and also understanding the impact of that discovery.

In order to reduce and respond to risk effectively, enterprises must rely on some framework to better quantify risk. Here are a few suggested frameworks for how your company can better measure their risks.

  • For those responsible for assessing and managing risk in development and operational settings, Carnegie Mellon University Software Engineering Institute (SEI) risk management framework authored by Christopher J. Alberts Audrey J. Dorofee, August 2010.
  • Designed to manage software-induced business risks, Build Security In: Risk Management Framework, is a condensed version of the Cigital RMF designed to manage software-induced business risks authored by Gary McGraw in 2005 and revised in July 2013.
  • Risk Management in Software Development, authored by Aihua Yan in November 2008, proposes a model for applying a risk management approach to software development projects.
  • For risk analysis from the point of view of the software vulnerability lifecycle, A Framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics by HyunChulJoh and Yashwant K. Malaiya proposes an approach to software risk evaluation.
  • The FAIR Institute’s Value at Risk model (VAR) is a community that shares best practices and “provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.”

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

May 11, 2023 by Cate Callegari

How to Overcome the Biggest Barriers to Selling Security Internally

Read more

Was this post helpful?

May 5, 2023 by Sherif Koussa

4 Ways Security Leaders Uses Penetration Testing to Elevate Their Security Programs

Read more

Was this post helpful?

Mar 29, 2023 by Alex Hewko

5 Ways Penetration Testing Reduces Overall Security Costs

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured