Authors:
Dr. Bill Curtis, Executive Director, CISQ
Katie Hart, Program Manager, CISQ
What is ISO/IEC 5055:2021?
ISO/IEC 5055:2021 (which will be referred to as ISO 5055 hereafter) is an ISO standard for measuring the internal structure of a software product on four business-critical factors: Security, Reliability, Performance Efficiency, and Maintainability. These are the factors that determine how trustworthy, dependable, and resilient a software system will be.
Why is ISO 5055 important?
Before ISO 5055, there was no international standard for measuring the quality and integrity of a software system by analyzing its internal construction to detect severe structural weaknesses. This would be equivalent to evaluating a house by its outward appearance without ever checking its internal structure for wood rot. Existing software standards measured after-the-fact operational measures that assessed the costly operational effects of severe weaknesses. ISO 5055 provides before-the-fact measures of the product’s software during development to identify and eliminate structural weaknesses before they cause operational problems.
How are ISO 5055 measures computed?
A team of international software experts at CISQ sorted through a wide range of software weaknesses and selected the most dangerous ones for inclusion in ISO 5055 measures, where ‘danger’ was based on knowing a weakness had to be removed from the software to avoid damaging business operations or excessive IT costs. The search for severe weaknesses must be conducted across the entire stack of software technologies and their interconnections that compose a modern system. Counts of the weaknesses are calculated for each of the four factors that may then be transformed into comparative measures such as the density of weaknesses or the sigma level achieved by the product.
What are some examples of ‘dangerous’ weaknesses?
The ISO 5055 weaknesses include serious problems at both the architectural and component levels to provide a complete evaluation of the factors determining a system’s trustworthiness, dependability, and resilience. ‘Ban Unintended Paths’ is an architectural weakness that violates security and data protection controls by allowing a path from the user interface directly to the database without passing through user authentication routines. ‘Improper Resource Shutdown or Release’ is a reliability weakness that has frozen customer-facing systems during critical business hours. The other weaknesses comprising ISO 5055 have similar undesirable impacts on business operations and IT costs.
How can we use these measures?
ISO 5055 measures can be used to set measurable targets for ensuring the trustworthiness, dependability, and resilience of software systems. These targets can be written into requests for proposals, statements of work, and contracts as acceptance criteria for software products delivered by system integrators, software vendors, and other third-party suppliers. They can also be used with internal software teams to establish release criteria or improvement targets. Some of the weaknesses contained in ISO 5055, such as the most dangerous security and reliability weaknesses, should be marked as ‘unacceptable,’ and software cannot be put into operation until they have been removed.
How do I implement ISO 5055?
The ISO 5055 standard is implemented by vendors of static analysis technology that detect, report, and measure its weaknesses across the entire technology stack and its interconnections. IT organizations should select a vendor technology that is endorsed by the Consortium for Information and Software Quality (www.it-cisq.org), the originator of the ISO 5055 standard, as being conformant with ISO 5055. Static analysis at the system level should become a standard task in vendor acceptance, application modernization, and quality assurance processes.
How does 5055 relate to other standards?
The four measures in ISO 5055 evaluate 4 of the 8 quality characteristics specified in ISO/IEC 25010, the ISO quality model for software systems. Each of the ISO 5055 measures conforms to the definition of its associated quality characteristic in ISO/IEC 25010. The set of weaknesses in each measure were checked to ensure coverage of the entire domain of issues in the associated quality characteristic. ISO 5055 measures supplement ISO/IEC 25023 (which defines software measures mainly at the operational rather than the product level) by developing structural and architectural measures from the product’s software. Each ISO 5055 weakness is included in the Common Weakness Enumeration Repository (mitre.cwe.org), a listing of the most severe software weaknesses, which is an International Telecommunication Union (ITU) standard.
Where can I get ISO 5055?
ISO 5055 is free and can be accessed from the CISQ website. As we continue to build software standards, we’d love to hear from you and learn how you are using ISO 5055. Please contact CISQ at [email protected]