What exists - PowerPoint PPT Presentation

1 / 6

  • Uploaded on
  • Presentation posted in: General

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

What exists

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

What exists

PASSWD(Prediction of applications and systems securityWithin development)how to create a model that will help in predicting and monitoring the security of an applicationOWASP – Portugal – november 2008Lucilla Mancini – Massimo Biagiottilucilla.mancini@business-e.itmassimo.biagiotti@business-e.it (blonde secretary)

What exists

What exists

  • Metrics for security programs

  • Metrics to evalute security level improvement within an organisation

  • Models and standards to map the security levels within and organisation

  • “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM


Which are our goals

Which are our goals

  • We want to change the point of view…not only process or code but applications and systems

    • Most of the existing models start from quality metrics

    • Most of the existing models look at processes

  • Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance

  • Create a model that gives an overall picture of the criticality of an application in a predictive mode

  • Model the application with security metrics in order to be able to apply an a-priori what-if analysis

  • Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application

  • Etc.





Unit test

Development Environment


Application security post deployment

KRI control

KRI control

KRI control

What exists

A glance on the idea




Usage of models to predict security level of new application under design and development

Application test

(Pen Test, code review…etc)

Check Vulnerabilities

(Create/collect Metrics)

Security models

and Index for architects,

Developers and process manager



How this is not a timetable

How (this is not a timetable)


  • analyse existing working group in this area, also from other associations to verify the goals and to create links

  • Check existing studies in this area, to create a strong research base to start from

  • Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel)

  • Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency


  • Collect data from applications in order to verify the assumptions

  • Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index

  • Login