Documente Academic
Documente Profesional
Documente Cultură
Bob Austin
Application Security Metrics Project
Lead
KoreLogic, Inc.
OWAS bob.austin@korelogic.com
P 804.379.4656
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Presentation Objectives
Regulations 51%
Better stewardship
Better stewardship 26% Base: 40 CISOs and
senior security
Report progress
Report to to
progress business
business
managers
23%
Phase Conduct
Conductresearch.
research. Publish
Develop Identify leading Develop/Conduct PublishSurvey
Survey
One DevelopProject
Project ➨ Identify leading ➨ Develop/Conduct ➨ Results ➨
practices, Initial
Approach
Approach practices, InitialSurvey
Survey Results
standards
standards
Create
Phase Identify CreateApproach
Approach
Solicit
SolicitOWASP
OWASP IdentifyShort
ShortList
List totoDevelop
Two Feedback ➨ ofofNeeded ➨ Develop
Feedbackand
and Needed Metrics
Metrics
Perform Gap Analysis Metrics
Perform Gap Analysis Metrics
http://www.owasp.org/index.php/Category:OWASP_Metrics_Project
OWASP AppSec Seattle 2006 6
Phase One – Application Security Metrics Baseline
Survey Plan
Information Capture Analysis Survey Results
Interviews Key
Interviews Keyfindings
findings
(from
➨ Identify (fromsurvey
surveyresults)
results)
Identifykey
keyfindings
findings
(common
(common themes,barriers,
themes, barriers, Application
concerns) Applicationsecurity
securitymetrics
metrics
concerns)
Provide set of “best practices”
Assess Provide set of “best practices”
Research Assesssurvey
survey ➨ associated
Research participant-provided associatedwith
withestablishing
establishing
participant-provided an
an application securitymetrics
application security
metrics metrics
metrics program.
for program.
forapplicability
applicability
➨ for
for Use
OWASP Useresults
resultstotodesign
design
OWASPcommunity
communityuse use Phase
Metrics
MetricsSurvey
Survey PhaseTwo Two
of the Project
of the Project
http://www.owasp.org/index.php/Metrics_Survey_Form
Vulnerability Metrics
Metrics about application
Examples
vulnerabilities themselves By vulnerability type
By occurrence within a software
development life cycle phase
Management Examples
% of applications that are currently security “certified” and
Metrics specifically accepted by business partners
designed for senior Trending: critical unresolved, accepted risks
management
Team member
training Review old defects
Data mutation = on-going
Check-ins checked
Security & Least Priv Secure coding guidelines
Review Tests
Use tools
Source: Microsoft
OWASP AppSec Seattle 2006 10
Examples of Application Security Metrics
Vulnerability Metrics
Number and criticality of vulnerabilities found.
Most commonly found vulnerabilities.
Reported defect rates based on security testing (per
developer/team, per application)
Root cause of “Vulnerability Recidivism”.
% of code that is re-used from other
products/projects*
% of code that is third party (e.g., libraries)*
Results of source code analysis**:
Vulnerability severity by project, by organization
Vulnerabilities by category by project, by organization
Vulnerability +/- over time by project
% of flaws by lifecycle phase (based on when testing
occurs)
Source: * WebMethods, ** Fortify Software
OWASP AppSec Seattle 2006 12
The Path Forward
Source: http://www.stsc.hill.af.mil/crosstalk/1998/08/backtalk.asp