Application security metrics from the organization on down to .ppt
《Application security metrics from the organization on down to .ppt》由会员分享,可在线阅读,更多相关《Application security metrics from the organization on down to .ppt(28页珍藏版)》请在麦多课文档分享上搜索。
1、Application security metrics from the organization on down to the vulnerabilities,Chris Wysopal CTO Veracode ,November 13, 2009 11:30am-12:30pm,Agenda,Why use metrics? Challenges & Goals for Application Security Metrics Enumerations Organizational Metrics Testing Metrics Application Metrics WASC Web
2、 Application Security Statistics Project 2008 Future Plans,2,To measure is to know. James Clerk Maxwell, 1831-1879Measurement motivates. John Kenneth Galbraith. 1908-2006,3,Metrics do matter,Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurement
3、s do Metrics can show if we are doing a good or bad job Metrics can show if you have no idea where you are Metrics establish where “You are here” really is Metrics build bridges to managers Metrics allow cross sectional comparisons Metrics set targets Metrics benchmark yourself against the oppositio
4、n Metrics create curiosity,4,Source: Andy Jaquith, Yankee Group, Metricon 2.0,Metrics dont matter,It is too easy to count things for no purpose other than to count them You cannot measure security so stop This following is all that matters and you cant map security metrics to them: Maintenance of av
5、ailability Preservation of wealth Limitation on corporate liability Compliance Shepherding the corporate brandCost of measurement not worth the benefit,5,Source: Mike Rothman, Security Incite, Metricon 2.0,Bad metrics are worse than no metrics,6,Security metrics can drive executive decision making,H
6、ow secure am I? Am I better off than this time last year? Am I spending the right amount of $? How do I compare to my peers? What risk transfer options do I have?,7,Source: Measuring Security Tutorial, Dan Geer,Goals of Application Security Metrics,Provide quantifiable information to support enterpr
7、ise risk management and risk-based decision making Articulate progress towards goals and objectives Provide a repeatable, quantifiable way to assess, compare, and track improvements in assurance Focus activities on risk mitigation in order of priority and exploitability Facilitate adoption and impro
8、vement of secure software design and development processes Provide an objective means of comparing and benchmarking projects, divisions, organizations, and vendor products,8,Source: Practical Measurement Framework for Software Assurance and Information Security, DHS SwA Measurement Working Group,Use
9、 Enumerations,Common Vulnerabilities and Exposures Common Weakness EnumerationCommon Attack Pattern Enumeration and Classification,Enumerations help identify specific software-related items that can be counted, aggregated, evaluated over time,Organizational Metrics,Percentage of application inventor
10、y developed with SDLC (which version of SDLC?) Business criticality of each application in inventory Percentage of application inventory tested for security (what level of testing?) Percentage of application inventory remediated and meeting assurance requirements Roll up of testing results,10,Organi
11、zational Metrics,Cost to fix defects at different points in the software lifecycle Cost of data breaches related to software vulnerabilities,11,Testing Metrics,Number of threats identified in threat model Size of attack surface identified Percentage code coverage (static and dynamic) Coverage of def
12、ect categories (CWE) Coverage of attack pattern categories (CAPEC),12,SANS Top 25 Mapped to Application Security Methods,Source: 2009 Microsoft,Weakness Class Prevalence based on 2008 CVE data,4855 total flaws tracked by CVE in 2008,Basic Metrics: Defect counts,Design and implementation defectsCWE i
- 1.请仔细阅读文档,确保文档完整性,对于不预览、不比对内容而直接下载带来的问题本站不予受理。
- 2.下载的文档,不会出现我们的网址水印。
- 3、该文档所得收入(下载+内容+预览)归上传者、原创作者;如果您是本文档原作者,请点此认领!既往收益都归您。
下载文档到电脑,查找使用更方便
2000 积分 0人已下载
下载 | 加入VIP,交流精品资源 |
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- APPLICATIONSECURITYMETRICSFROMTHEORGANIZATIONONDOWNTOPPT

链接地址:http://www.mydoc123.com/p-378501.html