slide1 n.
Skip this Video
Download Presentation
What exists

Loading in 2 Seconds...

play fullscreen
1 / 6

What exists - PowerPoint PPT Presentation

  • Uploaded on

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'What exists' - athena-wilkins

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

PASSWD(Prediction of applications and systems securityWithin development)how to create a model that will help in predicting and monitoring the security of an applicationOWASP – Portugal – november 2008Lucilla Mancini – Massimo (blonde secretary)

what exists
What exists
  • Metrics for security programs
  • Metrics to evalute security level improvement within an organisation
  • Models and standards to map the security levels within and organisation
  • “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM
which are our goals
Which are our goals
  • We want to change the point of view…not only process or code but applications and systems
    • Most of the existing models start from quality metrics
    • Most of the existing models look at processes
  • Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance
  • Create a model that gives an overall picture of the criticality of an application in a predictive mode
  • Model the application with security metrics in order to be able to apply an a-priori what-if analysis
  • Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application
  • Etc.



Unit test

Development Environment


Application security post deployment

KRI control

KRI control

KRI control


A glance on the idea




Usage of models to predict security level of new application under design and development

Application test

(Pen Test, code review…etc)

Check Vulnerabilities

(Create/collect Metrics)

Security models

and Index for architects,

Developers and process manager



how this is not a timetable
How (this is not a timetable)


  • analyse existing working group in this area, also from other associations to verify the goals and to create links
  • Check existing studies in this area, to create a strong research base to start from
  • Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel)
  • Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency


  • Collect data from applications in order to verify the assumptions
  • Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index