Software development teams are increasingly faced with security concerns regarding the software they develop. While many software development security practices have been proposed, published empirical evidence for their suitability and effectiveness is limited. We would like to be able to answer questions like ‘Where do we start with security practices?’, ‘Is it possible to pick one or two areas to focus on, or is a comprehensive strategy required?’, and ‘How much is this effort costing, and is it worth it in light of our risk?’. To answer these questions, and others, we propose a measurement framework to enable empirical data collection for security practice use and outcomes in software development.
On this website, we describe the data elements of the Security Practices Evaluation Framework (SP-EF), and provide guidance on how to collect the data elements. SP-EF contains three categories of data elements; context factors, practice adherence metrics, and outcome measures. Context factors are a set of attributes and values that are used to provide a basis of comparison between projects measured using SP-EF. The practice adherence metrics are a set of attributes and values that are used to describe security practices in use on a project, and the degree to which each practice is adhered to by the project team. Outcome measures are a set of attributes and values that are used to describe the security-related outcomes of the project.
To support detailed analysis, we represent each element of the framework in a model of the software development lifecycle, enabling study of the relative importance of focusing on security in each phase of software development, and measurement of the validity and reliability of the framework.