Quantifying satisfaction of security features of cloud software systems

What is claimed is: 1 . A method, comprising: characterizing a security requirement; matching the security requirement to a security metric; computing a quantification score that indicates an exploitability of a system to which the security requirement is applied; and outputting the quantification score to a security analyst, wherein the security metric is one of a plurality of security metrics matched to the security requirement, the method further comprising: in response to the quantification score being below a satisfaction threshold, identifying, to the security analyst, at least one security requirement of a plurality of security requirements that was not satisfied, and wherein the method is performed on a virtual machine of a cloud infrastructure including a virtual processor and a virtual memory. 2 . The method of claim 1 , wherein characterizing the security requirement further comprises: identifying an asset in a computing environment to protect according to the security requirement; and identifying a security objective of the security requirement to protect the asset. 3 . The method of claim 1 , wherein matching the security requirement to the security metric further comprises: identifying an exploitability measure, a defense measure, and an attack strength measure. 4 . The method of claim 3 , wherein quantifying the security requirement further comprises: computing the exploitability measure, the defense measure, and the attack strength measure to quantify a level of satisfaction of the security requirement. 5 . The method of claim 1 , wherein the security requirement is one of a plurality of security requirements characterized to quantify the exploitability of the system. 6 . A system, comprising: a processor; and a memory including instructions that when executed by the processor perform operations that comprise: characterizing a security requirement; matching the security requirement to a security metric; computing a quantification score that indicates an exploitability of a system to which the security requirement is applied; and outputting the quantification score to a security analyst, wherein the security metric is one of a plurality of security metrics matched to the security requirement, the operations further comprising: in response to the quantification score being below a satisfaction threshold, identifying, to the security analyst, at least one security requirement of a plurality of security requirements that was not satisfied, and wherein the processor comprises a virtual processor and the memory comprises a virtual memory provided as part of a virtual machine of a cloud infrastructure. 7 . The system of claim 6 , wherein characterizing the security requirement further comprises: identifying an asset in a computing environment to protect according to the security requirement; and identifying a security objective of the security requirement to protect the asset. 8 . The system of claim 6 , wherein matching the security requirement to the security metric further comprises: identifying an exploitability measure, a defense measure, and an attack strength measure. 9 . The system of claim 8 , wherein quantifying the security requirement further comprises: computing the exploitability measure, the defense measure, and the attack strength measure to quantify a level of satisfaction of the security requirement. 10 . The system of claim 6 , wherein the security requirement is one of a plurality of security requirements characterized to quantify the exploitability of the system. 11 . A non-transitory computer readable memory including instructions that when executed by a processor perform operations comprising: characterizing a security requirement; matching the security requirement to a security metric; computing a quantification score that indicates an exploitability of a system to which the security requirement is applied; and outputting the quantification score to a security analyst, wherein the security metric is one of a plurality of security metrics matched to the security requirement, the operations further comprising: in response to the quantification score being below a satisfaction threshold, identifying, to the security analyst, at least one security requirement of a plurality of security requirements that was not satisfied, and wherein the operations are performed on a virtual machine of a cloud infrastructure including a virtual processor and a virtual memory. 12 . The computer readable memory of claim 11 , wherein characterizing the security requirement further comprises: identifying an asset in a computing environment to protect according to the security requirement; and identifying a security objective of the security requirement to protect the asset. 13 . The computer readable memory of claim 11 , wherein matching the security requirement to the security metric further comprises: identifying an exploitability measure, a defense measure, and an attack strength measure. 14 . The computer readable memory of claim 13 , wherein quantifying the security requirement further comprises: computing the exploitability measure, the defense measure, and the attack strength measure to quantify a level of satisfaction of the security requirement. 15 . The computer readable memory of claim 11 , wherein the security requirement is one of a plurality of security requirements characterized to quantify the exploitability of the system.