Analysis of software vulnerabilities through historical data

Abstract: Software security has become an increasingly hot topic of debate during the last few years of cyberattacks, especially now that we are entering the era of Internet of Things. How does the developer of a product decide which software to include from a security perspective and is it possible to create a tool for software comparison that the developer could use for this purpose? The aim of this thesis is to investigate which metrics are available for measuring the overall level of security in software and suggest ways in which these metrics can be used. This study is done partly by reviewing previous research on software security metrics and partly by analyzing metrics in different categories such as general metrics about the software, metrics based on historical data and more detailed metrics about the vulnerabilities in the software. A small survey is also performed to gather the opinions about some of these metrics from potential end-users of a scoring system. Ideas for scoring systems that can use these metrics are suggested, however no weights for these metrics are determined. The conclusion is that under current circumstances creating a good automated scoring system is difficult due to a lack of data, however there are exciting opportunities for continued research and ideas for new approaches are presented.