PASSWD
This presentation is the property of its rightful owner.
Sponsored Links
1 / 6

What exists PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on
  • Presentation posted in: General

Download Presentation

What exists

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


What exists

PASSWD(Prediction of applications and systems securityWithin development)how to create a model that will help in predicting and monitoring the security of an applicationOWASP – Portugal – november 2008Lucilla Mancini – Massimo [email protected]@business-e.it (blonde secretary)


What exists

What exists

  • Metrics for security programs

  • Metrics to evalute security level improvement within an organisation

  • Models and standards to map the security levels within and organisation

  • “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM

  • ISECOM(RAV,SCARE),NIST( SAMATE)ecc.


Which are our goals

Which are our goals

  • We want to change the point of view…not only process or code but applications and systems

    • Most of the existing models start from quality metrics

    • Most of the existing models look at processes

  • Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance

  • Create a model that gives an overall picture of the criticality of an application in a predictive mode

  • Model the application with security metrics in order to be able to apply an a-priori what-if analysis

  • Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application

  • Etc.


Ssdlc

SSDLC

Production

Pre-Production

Unit test

Development Environment

Deployment

Application security post deployment

KRI control

KRI control

KRI control


What exists

A glance on the idea

code

code

code

Usage of models to predict security level of new application under design and development

Application test

(Pen Test, code review…etc)

Check Vulnerabilities

(Create/collect Metrics)

Security models

and Index for architects,

Developers and process manager

Statistical

analysis


How this is not a timetable

How (this is not a timetable)

STEP 1:

  • analyse existing working group in this area, also from other associations to verify the goals and to create links

  • Check existing studies in this area, to create a strong research base to start from

  • Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel)

  • Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency

    Then…..

  • Collect data from applications in order to verify the assumptions

  • Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index


  • Login