Background: With the advancement in the field of software development, software poses
threats and risks to customers’ data and privacy. Most of these threats are persistent because security
is mostly considered as a feature or a non-functional requirement, not taken into account during the
Software Development Life Cycle (SDLC).
Introduction: In order to evaluate the security performance of a software system, it is necessary to
integrate the security metrics during the SDLC. The appropriate security metrics adopted for each
phase of SDLC aids in defining the security goals and objectives of the software as well as quantify
the security in the software.
Methods: This paper presents a review and catalog of security metrics that can be adopted during
the distinguishable phases of SDLC, security metrics for vulnerability and risk assessment reported
in the literature for secure development of software. The practices of these metrics enable software
security experts to improve the security characteristics of the software being developed. The critical
analysis of security metrics of each phase and their comparison are also discussed.
Results: Security metrics obtained during the development processes help to improve the confidentiality,
integrity, and availability of software. Hence, it is imperative to consider security during the
development of the software, which can be done with the use of software security metrics.
Conclusion: This paper reviews the various security metrics that are meditated in the copious phases
during the progression of the SDLC in order to provide researchers and practitioners with substantial
knowledge for adaptation and further security assessment.