120 likes | 126 Views
The Need for Metrics and Measurement in Application Security. Jack Danahy OWASP Metrics and Measurement Standards Committee Project Lead jack.danahy@ouncelabs.com 781-290-5333. CSO/CISO. Prexis Vulnerability Analysis Data. Program Managers. Development Managers. Developers.
E N D
The Need for Metrics and Measurement in Application Security Jack Danahy OWASP Metrics and Measurement Standards Committee Project Lead jack.danahy@ouncelabs.com 781-290-5333
CSO/CISO Prexis Vulnerability Analysis Data ProgramManagers DevelopmentManagers Developers Compliance/Audit Managers The Need for Metrics • Identify critical areas of focus • Set security investment priorities • Track effectiveness of remediation and training • Monitor performance of development teams and outsourcers • Set critical priorities and security exit criteria • Publish results • Target critical remediation needs • Evaluate ROI in security training investment • Set and monitor security acceptance criteria • Identify critical vulnerabilities early • Learn how to fix the vulnerability • Confirm vulnerability elimination • Monitor compliance with established thresholds • Publish trend analyses to document security efforts/progress • Evaluate outsourcers’ compliance with contractual requirements
OWASP Metrics and Measurement Project Goals • Member survey and outreach to characterize significant and required metrics • Metrics gathering best practices framework • Recommendations for metrics gathering, tool analysis, metrics aggregation and weighting
The Case for Measurement The Need for Metrics: • Certification • Prioritization • Remediation • Tracking
Metrics for Certification • Governance • Credible, reliable metrics support compliance efforts by demonstrating pervasive security • Stability • Proof of security and lack of excessive patching increase customer confidence and reduce operational risk • Functionality • Validation of appropriate implementation of defined security components ensures that product meets baseline security requirements
Metrics for Prioritization • Determine application or project vulnerability • Determine severity of vulnerabilities • Prioritize remediation efforts LowValueHigh low exposureAudience and Exposurehigh exposure
Metrics for Remediation • Informed business-level decision support • Legacy applications: Wrap it, rewrite it, or replace it • Outsourced projects: Baselines and thresholds drive acceptance criteria and accountability • Resource allocation: focus investments and attention • Efficient workflow for developers • Specific identification of vulnerability • Explanation of vulnerability including potential impact • Conclusive remediation recommendations
Metrics for Tracking • Establish baseline and acceptable thresholds • Set accountability expectations with external vendors • Measure team performance • Provide reliable information to all areas of organization • Monitor progress over time requires: • Granularity of information • Periodicity of data (regulatory and public company requirements)
The Case for Measurement • Certification: Provide quantifiable measurement of security • Prioritization: Make informed resource allocation decisions • Remediation: Identify and eliminate risks caused by vulnerabilities • Tracking: Prove progress against reliable baselines and thresholds
Call for Participation • Active recruitment efforts underway • owasp-metrics@lists.sourceforge.net • Questions? Comments? • Contact me at: jack.danahy@ouncelabs.com