Building Metrics to Quantify the Security of Software Components

Prepared By Editor-in-Chief

International Journal of Innovative Solutions in Engineering is semi-annual publishing

Research Article

DOI: https://doi.org/10.47960/3029-3200.2025.1.2.65
Ivan Markić* ORCID iD and Ivan Boban ORCID iD
*CAivan.markic@fsre.sum.ba
ivan.boban@hteronet.ba

Full text:

Vol. 1 No. 2 Article 12

pages 65-74

Cite

I. Markić and I. Boban, “Building Metrics to Quantify the Security of Software Components,” International Journal of Innovative Solutions in Engineering, vol. 1, no. 2, pp. 65–74, Jul. 2025, doi: 10.47960/3029-3200.2025.1.2.65.

Download a citation file:

Vol. 1 No. 2 Article 12Download

Preview and download a citation file in BibTex format that can be imported by citation management software, including Mendeley, EndNote, ProCite, RefWorks, and Reference Manager.

This article is archived in Zenodo

DOI

Abstract

Quantitative assessment of the security of software components is an essential but underdeveloped aspect in software engineering and cybersecurity. Although security analysis is increasingly being integrated into the software development phases, there are currently no universally accepted criteria that would allow a numerical comparison of the security level of different components. This paper proposes a conceptual framework for defining and applying metrics that enable such an assessment. The possibility of building a system that supports standardized, objective, and scalable security evaluation in development and integration environments is explored by analyzing fundamental software components and their evaluation based on clearly defined security properties. The results of the study open space for improvement of existing security practices and point to specific guidelines for integrating quantitative security assessment into the software development life cycle.

Keywords

Software Security, Software Metrics, Component Assessment, Quantitative Analysis, Security Risks

ijise ID

12

URI

https://ijise.ba/article/12/

Publication Date

Jul. 17, 2025

References

  1. Common Vulnerabilities and Exposures (CVE), (n.d.). https://www.cve.org/ (accessed August 17, 2025).
  2. CWE Top 25 Most Dangerous Software Weaknesses, (n.d.). https://cwe.mitre.org/top25/ (accessed August 17, 2025).
  3. OWASP Top Ten, (n.d.). https://owasp.org/www-project-top-ten/ (accessed August 17, 2025).
  4. ISO/IEC 29147:2018 – Information technology, security techniques, vulnerability disclosure, (n.d.). https://www.iso.org/standard/72311.html (accessed August 17, 2025).
  5. ISO/IEC 27004:2016 – Information security management, monitoring, measurement, analysis and evaluation, (n.d.). https://www.iso.org/standard/64120.html (accessed August 17, 2025).
  6. M. Pendleton, R. Garcia-Lebron, S. Xu, A Survey on Security Metrics, (2016). http://arxiv.org/abs/1601.05792.
  7. T.H.M. Le, H. Chen, M.A. Babar, A Survey on Data-driven Software Vulnerability Assessment and Prioritization, ACM Comput Surv 55 (2022). https://doi.org/10.1145/3529757.
  8. S. Elder, M.R. Rahman, G. Fringer, K. Kapoor, L. Williams, A Survey on Software Vulnerability Exploitability Assessment, ACM Comput Surv 56 (2024) 1–41. https://doi.org/10.1145/3648610.
  9. Y. Jiang, N. Oo, Q. Meng, H.W. Lim, B. Sikdar, A Survey on Vulnerability Prioritization: Taxonomy, Metrics, and Research Challenges, (2025). http://arxiv.org/abs/2502.11070.
  10. Common Vulnerability Scoring System (CVSS), (n.d.). https://www.first.org/cvss/ (accessed August 17, 2025).
  11. A. Agrawal, R.A. Khan, Assessing and Improving Encapsulation for Minimizing Vulnerability of an Object Oriented Design, in: Communications in Computer and Information Science, Springer, Berlin, Heidelberg, 2011: pp. 531–533. https://doi.org/10.1007/978-3-642-25734-6_90.
  12. Exploit Prediction Scoring System (EPSS), (n.d.). https://www.first.org/epss/ (accessed August 17, 2025).
  13. Known Exploited Vulnerabilities Catalog (KEV CISA), (n.d.). https://www.cisa.gov/known-exploited-vulnerabilities-catalog (accessed August 16, 2025).
  14. National Vulnerability Database (NVD), (n.d.). https://nvd.nist.gov/ (accessed August 17, 2025).
  15. Death Knell of the NVD? – by Chris Hughes – Resilient Cyber, (n.d.). https://www.resilientcyber.io/p/death-knell-of-the-nvd (accessed August 16, 2025).
  16. Open Source Vulnerabilities (OSV), (n.d.). https://osv.dev/ (accessed August 16, 2025).
  17. GitHub Security Advisories (GHSA), (n.d.). https://github.com/advisories (accessed August 17, 2025).
  18. Common Attack Pattern Enumeration and Classification (CAPEC), (n.d.). https://capec.mitre.org/ (accessed August 17, 2025).
  19. MITRE ATT&CK, (n.d.). https://attack.mitre.org/ (accessed August 17, 2025).
  20. B. Carlsson, D. Baca, Software Security Analysis – Execution Phase Audit, EUROMICRO Conference (2005) 240–247. https://doi.org/10.1109/EURMIC.2005.54.
  21. F. Lomio, E. Iannone, A. De Lucia, F. Palomba, V. Lenarduzzi, Just-in-time software vulnerability detection: Are we there yet?, Journal of Systems and Software 188 (2022) 111283. https://doi.org/10.1016/j.jss.2022.111283.
  22. N. Dissanayake, A. Jayatilaka, M. Zahedi, M.A. Babar, Software security patch management – A systematic literature review of challenges, approaches, tools and practices, Inf Softw Technol 144 (2022) 106771. https://doi.org/10.1016/j.infsof.2021.106771.
  23. N.S. Harzevili, J. Shin, J. Wang, S. Wang, N. Nagappan, Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries, in: 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR), IEEE, 2023: pp. 27–38. https://doi.org/10.1109/MSR59073.2023.00018.
  24. P. Mell, K. Scarfone, S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2.0, Forum of Incident Response and Security Teams (FIRST) (2007).
  25. L. Allodi, F. Massacci, Comparing Vulnerability Severity and Exploits Using Case-Control Studies, ACM Transactions on Information and System Security 17 (2014) 1–20. https://doi.org/10.1145/2630069.
  26. S. Neuhaus, T. Zimmermann, Security Trend Analysis with CVE Topic Models, in: 2010 IEEE 21st International Symposium on Software Reliability Engineering, IEEE, 2010: pp. 111–120. https://doi.org/10.1109/ISSRE.2010.53.
  27. A. Gueye, P. Mell, A Historical and Statistical Studyof the Software Vulnerability Landscape, (2021). http://arxiv.org/abs/2102.01722.
  28. G. Gori, L. Rinieri, A. Melis, A. Al Sadi, F. Callegati, M. Prandini, A Systematic Analysis of Security Metrics for Industrial Cyber–Physical Systems, Electronics (Basel) 13 (2024) 1208. https://doi.org/10.3390/electronics13071208.
  29. E.K. Adejumo, B. Johnson, M. Guizani, Commit Stability as a Signal for Risk in Open-Source Projects, (2025). http://arxiv.org/abs/2508.02487.
  30. C. Sabottke, O. Suciu, T. Dumitras, Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits, 24th USENIX Security Symposium (2015).
  31. A. Almogahed, M. Omar, N.H. Zakaria, A. Alawadhi, Software Security Measurements: A Survey, in: 2022 International Conference on Intelligent Technology, System and Service for Internet of Everything (ITSS-IoE), IEEE, 2022: pp. 1–6. https://doi.org/10.1109/ITSS-IoE56359.2022.9990968.
  32. Study – Software security vulnerabilities persist for months, (n.d.). https://www.axios.com/2018/10/24/vulnerable-apps-software-security-veracode-study (accessed August 17, 2025).
  33. IT staff take as long as 1 month to fix security flaws, (n.d.). https://www.axios.com/2023/10/10/patching-security-flaws-slow (accessed August 17, 2025).
  34. OWASP Application Security Verification Standard (ASVS) | OWASP Foundation, (n.d.). https://owasp.org/www-project-application-security-verification-standard/ (accessed August 18, 2025).
  35. D.J. Bodeau, R.D. Graubart, R.M. Mcquaid, J. Woodill, Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring, 2018. https://www.mitre.org/sites/default/files/2021-11/prs-18-2579-cyber-resiliency-metrics-measures-of-effectiveness-and-scoring.pdf (accessed August 16, 2025).
Post Views: 563

Toward Integrated Compliance with GDPR and the EU AI Act Based on Empirical Findings

Announcement: IJISE issue is officially published! (vol. 1, no.2)

ISSN: 3029-3200

Reach out to us for more opportunities

If you have any inquiries, please use the information below to contact us.

Contact Us

All articles published in the International Journal of Innovative Solutions in Engineering (IJISE) are preserved in Zenodo for long-term archiving and global accessibility.

© 2026 by The Author(s). Licensee IJISE by Faculty of Mechanical Engineering, Computing and Electrical Engineering, University of Mostar. All articles are an open-access and distributed under the terms and conditions of the CC BY 4.0