Field of the Invention
The present invention relates in general to the field of computers and similar technologies, and in particular to security qualities of software utilized in this field. Still more particularly, it relates to a method, system and computer-usable medium for determining the difficulty level, effort degrees, cost sizing and process decisions involved in analyzing, assessing or auditing the security of the software system.
Description of the Related Art
Organizations today are exposed to a greater volume and variety of attacks than in the past. Advanced attackers are clever and patient, leaving just a whisper of their presence. Accordingly, it is desirable to provide security functionality which helps to detect and defend against threats by applying sophisticated analytics to more types of data. It is also desirable to provide such security functionality which identifies high-priority incidents that might otherwise get lost in the noise of the overall operation of a large scale information processing environment. Insecure software systems, exhibiting vulnerabilities afflicted due to insecure design, coding, testing and deployment development processes are principally responsible for the greater risk organizations face due to increasing levels of attacks. The magnitude, scope, effort and cost involved in analyzing software systems for security issues is difficult for humans to accurately estimate. The challenge is further amplified when such assessments are required to exhibit accurate and optimal repeatability and predictability. Software system attributes, complexity and interdependencies are far too complex for humans, even with great experience, to comprehend to a degree that would allow such estimations to be effective. The use of statistical analysis based on decomposition of software system features, complexity categorization, code structure and static and run-time dependencies is aided with the use of machine learning algorithms to produce continually refined machine generated estimates for security system software analysis, assessment or audit effort, cost and other useful decision parameters.
It is known to provide security functionality to IT environments via security intelligence platforms which integrate security information and event management (SIEM), log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified solution. One aspect of providing a customer with a security intelligence platform relates to identifying potential security vulnerabilities of customer software. The process of identifying software security vulnerabilities often involves testing and analysis. It is desirable for the security intelligence platform provider to perform an estimation operation to accurately estimate an effort and cost sizing of the identification process prior to actually performing the identification process.
This estimation is desirable to help estimate a required commitment of delivery resources, testing scope, contractual obligations, service levels as well as accurate price being committed to by a prospective customer. Often this estimation is performed using a subjective, often non-analytical estimative approach that may result in suboptimal resource utilization and commercial service financial performance. The less accurate the estimates, the less confidence a provider and customer have in the value provided, and the higher the resulting risk to the security intelligence platform provider. With increasing price pressures from competitors, it is desirable for a security intelligence platform provider to develop methods that allow the provider to accurately, repeatedly and reliably provide security vulnerabilities assessment estimations.