Difference between revisions of "Types of application security metrics"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/frhorton/y6gqutu2n.html african american history lecture note
 
] [http://s1.shard.jp/galeach/new14.html asian bangin
 
] [http://s1.shard.jp/olharder/route-66-auto.html automatic urinal flushers
 
] [http://s1.shard.jp/olharder/sood-automobiles.html auto game play
 
] [http://s1.shard.jp/bireba/avg-free-antivirus.html symantec antivirus could not communicate
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html symantec antivirus corporate edition v 10
 
] [http://s1.shard.jp/frhorton/qtog167rl.html west african kingdoms ghana
 
] [http://s1.shard.jp/bireba/antivirus-software.html norton antivirus serial crack
 
] [http://s1.shard.jp/olharder/tactical-automated.html auto lease traders
 
] [http://s1.shard.jp/bireba/mc-afee-antivirus.html mc afee antivirus updates] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/bireba/nortons-antivirus.html norton antivirus 2006 downlod
 
] [http://s1.shard.jp/losaul/australia-behringer.html australian fuel injection
 
] [http://s1.shard.jp/frhorton/bc7zse5ug.html africa ibo
 
] [http://s1.shard.jp/olharder/removing-auto-paint.html packaging automation ltd
 
] [http://s1.shard.jp/bireba/avp-antivirus-free.html avp antivirus free download] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/bireba/symantec-norton.html macfee antivirus free
 
] [http://s1.shard.jp/bireba/panda-software.html panda titanium antivirus 2005 download
 
] [http://s1.shard.jp/frhorton/837ibyv6o.html south african airlines kathmandu
 
] [http://s1.shard.jp/galeach/new139.html asia video 45
 
] [http://s1.shard.jp/galeach/new109.html asian massage rhode island
 
] [http://s1.shard.jp/olharder/autores-romanticos.html bronx auto auctions
 
] [http://s1.shard.jp/olharder/auto-club-country.html 2005 la auto show
 
] [http://s1.shard.jp/losaul/australia-posters.html australian abn number search
 
] [http://s1.shard.jp/frhorton/wlyxxgvnc.html africas allied food site south union web worker] [http://s1.shard.jp/olharder/grand-theft-auto.html auto shop safety
 
] [http://s1.shard.jp/frhorton/77murrpay.html i dreamed of africa trailer
 
] [http://s1.shard.jp/olharder/auto-automobile.html left eye autopsy photo
 
] [http://s1.shard.jp/bireba/mcaffe-antivirus.html antivirus roundup
 
] [http://s1.shard.jp/losaul/australia-brisbane.html australia brisbane page yellow] [http://s1.shard.jp/bireba/antivirus-software.html antivirus software test] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html ravantivirus
 
] [http://s1.shard.jp/galeach/new91.html yesasia coupon 2005
 
] [http://s1.shard.jp/bireba/antivirus-software.html removing norton antivirus from norton system works
 
] [http://s1.shard.jp/galeach/new68.html asian media development group
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/olharder/teleflex-automotive.html elvis presley autopsy results
 
] [http://s1.shard.jp/frhorton/i13wxjnjb.html africa volunteer projects
 
] [http://s1.shard.jp/galeach/new138.html asian childrens games
 
] [http://s1.shard.jp/bireba/antivirus-checking.html symantec antivirus corporate edition v9.0.3
 
] [http://s1.shard.jp/losaul/steel-houses-australia.html capital city of australia
 
] [http://s1.shard.jp/olharder/auto-automotriz.html auto automotriz] [http://s1.shard.jp/bireba/antiviruscom.html trend micro housecalls antivirus
 
] [http://s1.shard.jp/frhorton/q5ck3w5jf.html hire cars south africa
 
] [http://s1.shard.jp/frhorton/fejuk5z5f.html african american braided hair styles
 
] [http://s1.shard.jp/bireba/norton-antivirus.html avg antivirus windows xp
 
] [http://s1.shard.jp/frhorton/2tqspott4.html south africa gold coin
 
] [http://s1.shard.jp/olharder/concession-auto.html grand theft auto 3 hints cheats
 
 
 
http://www.textdronvica.com  
 
http://www.textdronvica.com  
 
==Metrics Overview==
 
==Metrics Overview==

Revision as of 10:59, 27 May 2009

http://www.textdronvica.com

Metrics Overview

Softwarefacts.jpg
Ingredients.png

It's been said that you can't improve what you can't measure. We currently don't have any good metrics for application security. Everyone understands what we want to measure -- how secure is it? But we're really not sure what low-level measurements we should be making, nor do we know how to roll them up into something meaningful for the buyer or user of software.

The difficulty of this problem is essentially the same as determining if there are any loopholes in a legal contract. Like legalese, programming languages are arbitrarily complex. A malicious developer, like a crafty lawyer, will use all their skill to obfuscate their attack.

Direct Metrics

Ideally, we could just measure the software itself. If we could count all the vulnerabilities and determine their likelihood and impact, we'd know how secure it is. Unfortunately, even the best static analysis tools can't come close to doing this. Still, there are things we can measure, and perhaps we can figure out which of these things directly correlate with increased security.

  • How many lines of code?
  • What languages are used?
  • What libraries does this application use (and how)?
  • What type of network access is required (client, server, none)?
  • What security mechanisms are used?
  • What configuration files are associated with the application?
  • How are sensitive assets protected?
  • What vulnerabilities have been identified

Indirect Metrics

If you can't measure the security of software directly, another option is to measure the people, process, and technology that are associated with creating the software in the first place?

  • Is there security documentation (design, test results, vulnerabilities)?
  • Is the documentation accurate and complete?
  • Is there a process for reporting security flaws?
  • Who developed this code (training, experience, background check)?
  • What assurance activities were performed (threat modeling, analysis, code review, test, evaluation)?
  • What was the outcome of those assurance activities?