Building more secure software is a recent concern for software engineers due to the increasing incidences of security breaches. Security can be considered both a functional and quality requirement. Cost models like COCOMO II relate the functional dimension of software to the size component of the model, whereas the effort associated with the non-functional (or quality) aspect of security in software development require a cost driver to account for the additional effort to implement security in software.

A few security cost estimation models have been proposed. Besides the lack of empirical validation, most of these models use the Common Criteria standard (CC) Evaluation Assurance Levels to define the levels of security in software development. However, this standard has been mostly used to assess and certify the security of IT Products and has been criticized by software developers.

Our previous studies from academic studies and from practitioners have shown that security practices are the main aspect to consider for estimating the costs of developing secure software. Thus, instead of using the CC standard, we propose a rating scale to qualitatively measure the secure software development level based on different degrees of security practices in use. We expect that such a rating scale will better capture the secure software development scenario in a project. Our final goal is to provide a parametric model that takes as input the usage degrees of security practices and outputs the additional effort for secure software development.
  • B
    Bradford Clark
    University of Southern California Adjunct Research Assistant Professor of Computer Science. His area of expertise is software cost and schedule data collection, analysis and parametric modeling