SOSS Fusion 2024

Systems today are primarily assemblies of reused components many of which are Open-Source software. The reuse of software has enabled faster fielding of systems since common components, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit them in products that have broad use especially Open Source. How should an organization make appropriate trade-off choices among cost, schedule, and cybersecurity? Over the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and how those measurement results affect the product’s cybersecurity. It is insufficient to measure only operational code, its vulnerabilities, and the attendant risk of successful hacks. Relying on the assumption that many eyeballs looking at the software ensures better security is of little value without an understanding of what was analyzed and how knowledgeable were those performing the analysis.