{"id":334,"date":"2009-11-13T10:35:08","date_gmt":"2009-11-13T15:35:08","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=334"},"modified":"2010-02-01T19:08:24","modified_gmt":"2010-02-02T00:08:24","slug":"application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/","title":{"rendered":"Application Security Metrics from the Organization on Down to the Vulnerabilities"},"content":{"rendered":"<p>This presentation was by Chris Wysopal, the CTO of Veracode.\u00a0 My notes are below:<\/p>\n<p>&#8220;To measure is to know.&#8221; &#8211; James Clerk Maxwell<\/p>\n<p>&#8220;Measurement motivates.&#8221; &#8211; John Kenneth Galbraith<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Metrics do Matter<\/strong><\/span><\/p>\n<ol>\n<li>Metrics quantify the otherwise unquantifiable<\/li>\n<li>Metrics can show trends and trends matter more than measurements do<\/li>\n<li>Metrics can show if we are doing a good job or bad job<\/li>\n<li>Metrics can show if you have no idea where you are<\/li>\n<li>Metrics establish where &#8220;You are here&#8221; really is<\/li>\n<li>Metrics build bridges to managers<\/li>\n<li>Metrics allow cross sectional comparisons<\/li>\n<li>Metrics set targets<\/li>\n<li>Metrics benchmark yourself against the opposition<\/li>\n<li>Metrics create curiosity<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Metrics Don&#8217;t Matter (Mike Rothman)<br \/>\n<\/strong><\/span><\/p>\n<ul>\n<li>It is too easy to count things for no purpose other than to count them<\/li>\n<li>You cannot measure security so stop<\/li>\n<li>This following is all that matters and you can&#8217;t map security metrics to them:\n<ul>\n<li>Maintenance of availability<\/li>\n<li>Preservation of wealth<\/li>\n<li>Limitation on corporate liability<\/li>\n<li>Compliance<\/li>\n<li>Shepherding the corporate brand<\/li>\n<\/ul>\n<\/li>\n<li>Cost of measurement not worth the benefit<\/li>\n<\/ul>\n<p>Bad metrics are worse than no metrics<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Security Metrics Can Drive Executive Decision Making<\/strong><\/span><\/p>\n<ul>\n<li>How secure am I?<\/li>\n<li>Am I better off than this time last year?<\/li>\n<li>Am I spending the right about of money?<\/li>\n<li>How do I compare to my peers?<\/li>\n<li>What risk transfer options to I have?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Goals of Application Security Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Provide quantifiable information to support enterprise risk management and risk-based decision making<\/li>\n<li>Articulate progress towards goals and objectives<\/li>\n<li>Provides a repeatable, quantifiable way to assess, compare, and track improvements in assurance<\/li>\n<li>Focus activities on risk mitigation in order of priority and exploitability<\/li>\n<li>Facilitate adoption and improvement of secure software design and development processes<\/li>\n<li>Provide and objective means of comparing and benchmarking projects, divisions, organizations, and vendor products<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Use Enumerations<\/strong><\/span><\/p>\n<ul>\n<li>Enumerations help identify specific software-related items that can be counted, aggregated, evaluated over time<\/li>\n<li>CVE &#8211; Common Vulnerabilities and Exposures<\/li>\n<li>CWE &#8211; Common Weakness Enumeration<\/li>\n<li>CAPEC &#8211; Common Attack Pattern Enumeration and Classification<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Organizational Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Percentage of application inventory developed with SDLC (which version of SDLC?)<\/li>\n<li>Business criticality of each application in inventory<\/li>\n<li>Percentage of application inventory tested for security (what level of testing?)<\/li>\n<li>Percentage of application inventory remediated and meeting assurance requirements<\/li>\n<li>Roll up of testing results<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Organizational Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Cost to fix defects at different points in the software lifecycle<\/li>\n<li>Cost of data breaches related to software vulnerabilities<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Testing Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Number of threats identified in threat model<\/li>\n<li>Size of attack surface identified<\/li>\n<li>Percentage code coverage (static and dynamic)<\/li>\n<li>Coverage of defect categories (CWE)<\/li>\n<li>Coverage of attack pattern categories (CAPEC)<\/li>\n<\/ul>\n<p>SANS Top 25 Mapped to Application Security Methods (CWE, Title, Education?, Manual Process?, Tools?, Threat Model?)<\/p>\n<p>Weakness Class Prevalence based on 2008 CVE data (Mitre?)<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Basic Metrics: Defect Counts<\/strong><\/span><\/p>\n<ul>\n<li>Design and implementation defects\n<ul>\n<li>CWE identifier<\/li>\n<li>CVSS score<\/li>\n<li>Severity<\/li>\n<li>Likelihood of exploit<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Automated Code Analysis Techniques<\/strong><\/span><\/p>\n<ul>\n<li>Static Analysis (White Box Testing)<\/li>\n<li>Dynamic Analysis (Black Box Testing)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Manual Analysis<\/strong><\/span><\/p>\n<ul>\n<li>Manual Penetration Testing<\/li>\n<li>Manual Code Review<\/li>\n<li>Manual Design Review<\/li>\n<li>Threat Modeling<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>WASC Web Application Security Statistics Project 2008<\/strong><\/span><\/p>\n<ul>\n<li>Goals\n<ul>\n<li>Identify the prevalence and probability of different vulnerability classes<\/li>\n<li>Compare testing methodologies against what types of vulnerabilities they are likely to identify<\/li>\n<\/ul>\n<\/li>\n<li>Summary\n<ul>\n<li>12186 web applications with 97554 detected vulnerabilities<\/li>\n<li>More than 13% of all reviewed sites can be compromised completely automatically<\/li>\n<li>About 49% of web applications contain vulnerabilities of high risk level detected by scanning<\/li>\n<li>Manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with the probability up to 80-96%<\/li>\n<li>99% of web applications are not compliant with PCI DSS standard<\/li>\n<\/ul>\n<\/li>\n<li>Compare to 2007 WASC Project\n<ul>\n<li>Number of sites with SQL Injection fell by 13%<\/li>\n<li>Number of sites with Cross-site Scripting fell 20%<\/li>\n<li>Number of sites with different types of Information Leakage rose by 24%<\/li>\n<li>Probability to compromise a host automatically rose from 7 to 13%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Chris Wysopal, the CTO of Veracode.\u00a0 My notes are below: &#8220;To measure is to know.&#8221; &#8211; James Clerk Maxwell &#8220;Measurement motivates.&#8221; &#8211; John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[343,307],"tags":[76,148,310,344,622,10],"class_list":["post-334","post","type-post","status-publish","format-standard","hentry","category-metrics-security","category-owasp-appsec-dc-2009","tag-application","tag-attack","tag-metrics","tag-probability","tag-security","tag-vulnerability"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5o","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=334"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334\/revisions"}],"predecessor-version":[{"id":379,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334\/revisions\/379"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}