Standards Development

Scope

This is the second standard in the multipart Automated Source Code Quality Measures (ASCQM) standard (ISO/IEC 5055-1:2021). It covers common weaknesses (CWEs) that affect the protection of confidential information.  Specifying this measure is important as a source of evidence for complying with regulations such as the General Data Protection Regulation (GDPR) in Europe, and in the United States the Cybersecurity Maturity Model Certification (CMMC), California Consumer Privacy Act, the California Consumer Privacy Act enhanced by the California Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act (HIPAA) enhanced with the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Gramm-Leach-Bliley Act (GLBA) for financial services.

This measure is calculated from detecting and counting 89 violations of good architectural and coding practices (weaknesses) in the source code that could result in unacceptable risks to the exposure or theft of confidential information. This measure will supplement ISO/IEC 25023 that provides measures of software product confidentiality (a subcharacteristic of Security) by providing a measure at the source code level for protecting confidential data.

Many recent Governmental regulations are requiring evidence that software-intensive systems provide protection of confidential information.  Much of the evidence provided involves the process by which these systems are developed and accessed.  However, these regulations are often weak on the evidence required to indicate the systems themselves are secure.  This specification addresses one aspect of this problem by providing measure of the extent to which a software system is free from weaknesses that would expose confidential information to unauthorized parties. Thus, this specification provides a measure calculated from detecting weaknesses affecting data protection in the source code.Measurement of the structural quality characteristics of software such as data protection has a long history in software engineering (Curtis, 1980).  Recent advances in measuring the structural quality of software involve detecting violations of good architectural and coding practice from statically analyzing source code. 

Good architectural and coding practices can be stated as rules for engineering software products.  Violations of these rules will be called weaknesses in this specification to be consistent with terms used in the Common Weakness Enumeration (Martin & Barnum, 2006) which includes weaknesses that affect data protection.

Recent research in analyzing structural quality weaknesses has identified common patterns of code structures that can be used to detect weaknesses.  Many of these ‘Detection Patterns’ are shared across different weaknesses.  Detection Patterns will be used in this specification to organize and simplify the presentation of weaknesses underlying data protection.  Each weakness will be described as a quality measure element to remain consistent with ISO/IEC 25020.  Each quality measure element will be represented as one or more Detection Patterns.  Many quality measure elements (weaknesses) will share one or more Detection Patterns in common.

The normative portion of this specification represents each quality attribute (weakness) and quality measure element (detection pattern) using the Structured Patterns Metamodel Standard (SPMS).  The code-based elements in these patterns are represented using the Knowledge Discovery Metamodel (KDM).  The calculation of the Automated Source Code Data Protection Measure from their quality measure elements is then represented in the Structured Metrics Metamodel (SMM).  This calculation is developed by counting the number of detection patterns for each weakness and then summing these numbers for all the weaknesses included in the specific quality characteristic measure.