What exists
-
Upload
athena-wilkins -
Category
Documents
-
view
21 -
download
1
description
Transcript of What exists
PASSWD(Prediction of applications and systems
securityWithin development)
how to create a model that will help in predicting and monitoring the security of an application
OWASP – Portugal – november 2008Lucilla Mancini – Massimo Biagiotti
[email protected] [email protected] (blonde secretary)
What exists
• Metrics for security programs
• Metrics to evalute security level improvement within an organisation
• Models and standards to map the security levels within and organisation
• “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM
• ISECOM(RAV,SCARE),NIST( SAMATE)ecc.
Which are our goals• We want to change the point of view…not only process or code
but applications and systems– Most of the existing models start from quality metrics– Most of the existing models look at processes
• Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance
• Create a model that gives an overall picture of the criticality of an application in a predictive mode
• Model the application with security metrics in order to be able to apply an a-priori what-if analysis
• Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application
• Etc.
SSDLC
KRI control
Application security post deployment
Unit testDevelopment Environment
Deployment Pre-Production Production
KRI control KRI control
code
Application test(Pen Test, code review…etc)
codecode
Check Vulnerabilities(Create/collect Metrics)
Statistical analysis
Security models and Index for architects, Developers and process manager
Usage of models to predict security level of new application under design and development
A glance on the idea
How (this is not a timetable)STEP 1: • analyse existing working group in this area, also from other
associations to verify the goals and to create links• Check existing studies in this area, to create a strong research base
to start from• Collect and enumerate all the existing metrics in security
(application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel)
• Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency
Then…..• Collect data from applications in order to verify the assumptions• Define a first set of metrics that will allow to measure and evaluate
security levels, in order to create a model for a security index