In today's world, where most of the critical infrastructures are based on distributed systems, security failures have become very common, even within large corporations. A system with security loopholes can be damaging for companies, both in terms of reputation and finances, while customers are reluctant to use such systems. In that respect, providing stakeholders with quantifiable evidences that the countermeasures deployed on the system are operating adequately is an important step towards better control of security failures for network administrators on one hand, and an increase in end users' trust in using these systems on the other. It is in that perspective that BUGYO, a methodology to assess the security of telecommunication networks and services in terms of assurance levels, was proposed to address the shortcomings of existing security assurance and risks management methodologies in measuring, documenting and maintaining security assurance of telecommunication services. In this paper, we provide an overview of the BUGYO methodology and we demonstrate its applicability (mainly with respect to the specification of assurance metrics) on a VoIP service infrastructure based on open source components
