Types of application security metrics

[http://s1.shard.jp/bireba/antivirus-f-prot.html symantec antivirus command line ] [http://s1.shard.jp/frhorton/obe78uzn9.html bill gates donation to africa ] [http://s1.shard.jp/losaul/hsbc-asset-management.html modern australian aboriginal artist ] [http://s1.shard.jp/galeach/new155.html asian party snacks ] [http://s1.shard.jp/frhorton/mgsbz3g84.html educational african american quote ] [http://s1.shard.jp/frhorton/fg84cc18u.html african american crow jim law ] [http://s1.shard.jp/galeach/new14.html asian bangin ] [http://s1.shard.jp/galeach/new126.html de gimnasia la reglas ] [http://s1.shard.jp/frhorton/rkgv2463v.html eco africa usa inc ] [http://s1.shard.jp/bireba/avg-free-antivirus.html symantec antivirus could not communicate ] [http://s1.shard.jp/frhorton/y8fj1syi7.html african baskets history ] [http://s1.shard.jp/losaul/taubman-paints.html australian greyhounds for sale ] [http://s1.shard.jp/olharder/autonomous-systems.html autoridad acueductos alcantarillados puerto rico ] [http://s1.shard.jp/galeach/new183.html anastasia anya journey ] coastlines of australia [http://s1.shard.jp/losaul/unley-council-south.html australian book club ] [http://s1.shard.jp/frhorton/hzioyx6wv.html africa bandwidth question satellite vsat ] [http://s1.shard.jp/bireba/ downloading antivirus software ] [http://s1.shard.jp/frhorton/iyc9ldho5.html scipio africanus ] top [http://s1.shard.jp/losaul/idp-australia.html esd service desk gartner costs australian ] [http://s1.shard.jp/galeach/new21.html asian tsunami picture ] [http://s1.shard.jp/losaul/planting-guide.html shelta umbrellas australia ] site [http://s1.shard.jp/galeach/new45.html cheap travel paris to asia ] [http://s1.shard.jp/losaul/seven-nightclub.html teaching hospitals australia ] [http://s1.shard.jp/losaul/alzeihmers-australia.html australia cardiopulmonary resuscitation south ] simple plan tour dates australia [http://s1.shard.jp/losaul/australian-hotel.html australian equine quarantine ] airline consolidators asia link [http://s1.shard.jp/bireba/antivirus-download.html nod32 antivirus software ] [http://s1.shard.jp/frhorton/l648khtsn.html south african lotto fraud ] [http://s1.shard.jp/frhorton/tiwomyd3z.html africa education grant ] list all african countries [http://s1.shard.jp/frhorton/cluquehu7.html african influences on latin america ] [http://s1.shard.jp/galeach/new95.html australasia capital east europe far international morgan stanley ] [http://s1.shard.jp/bireba/antivirus-software.html antivirus solutions ] [http://s1.shard.jp/olharder/alberta-auto.html autolock symbian ] [http://s1.shard.jp/losaul/buffy-convention.html minerals council of australia ] [http://s1.shard.jp/losaul/australian-capital.html personal protective equipment australia ] [http://s1.shard.jp/frhorton/z7u5veip8.html africa safari tour package ] [http://s1.shard.jp/olharder/auto-wrap-graphics.html auto mail towing ] [http://s1.shard.jp/losaul/vetco-aibel.html tropical cyclones of australia ] [http://s1.shard.jp/galeach/new17.html asiafriendfinder.com dating go p143923.subasian ] [http://s1.shard.jp/galeach/new37.html influential asian americans ] [http://s1.shard.jp/bireba/dod-cert-antivirus.html os x antivirus free ] [http://s1.shard.jp/olharder/dacoma-automotive.html porsche service by autosport performance of englewood ] [http://s1.shard.jp/olharder/automobile-bmw.html mark auto industries ]

Metrics Overview


It's been said that you can't improve what you can't measure. We currently don't have any good metrics for application security. Everyone understands what we want to measure -- how secure is it? But we're really not sure what low-level measurements we should be making, nor do we know how to roll them up into something meaningful for the buyer or user of software.

The difficulty of this problem is essentially the same as determining if there are any loopholes in a legal contract. Like legalese, programming languages are arbitrarily complex. A malicious developer, like a crafty lawyer, will use all their skill to obfuscate their attack.

Direct Metrics
Ideally, we could just measure the software itself. If we could count all the vulnerabilities and determine their likelihood and impact, we'd know how secure it is. Unfortunately, even the best static analysis tools can't come close to doing this. Still, there are things we can measure, and perhaps we can figure out which of these things directly correlate with increased security.


 * How many lines of code?
 * What languages are used?
 * What libraries does this application use (and how)?
 * What type of network access is required (client, server, none)?
 * What security mechanisms are used?
 * What configuration files are associated with the application?
 * How are sensitive assets protected?
 * What vulnerabilities have been identified

Indirect Metrics
If you can't measure the security of software directly, another option is to measure the people, process, and technology that are associated with creating the software in the first place?


 * Is there security documentation (design, test results, vulnerabilities)?
 * Is the documentation accurate and complete?
 * Is there a process for reporting security flaws?
 * Who developed this code (training, experience, background check)?
 * What assurance activities were performed (threat modeling, analysis, code review, test, evaluation)?
 * What was the outcome of those assurance activities?