Difference between revisions of "Types of application security metrics"

Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new77.html garo antreasian ] [http://s1.shard.jp/bireba/antivirus-f-prot.html antivirusprograms ] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/galeach/new149.html asia fair trade ] [http://s1.shard.jp/losaul/australian-accent.html australian photo puppy shepherd ] [http://s1.shard.jp/galeach/ asian car model ] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/olharder/auto-recreational.html organismos autotrofos y heterotrofos ] [http://s1.shard.jp/frhorton/rkgv2463v.html african american christian famous ] [http://s1.shard.jp/frhorton/5hrrb99yl.html african and indian elephants] [http://s1.shard.jp/galeach/new4.html cerasia] [http://s1.shard.jp/frhorton/3k3nxdd3j.html africa aids in southern ] [http://s1.shard.jp/olharder/bank-auto-repos.html automobile title check ] [http://s1.shard.jp/frhorton/lywbi2iaz.html meryls role in out of africa ] [http://s1.shard.jp/bireba/norton-antivirus.html comparatifs antivirus ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/dealer-de-auto.html auto in part store usa ] [http://s1.shard.jp/olharder/auto-a-vendre.html brenner autobahn ] [http://s1.shard.jp/olharder/tactical-automated.html autometer speedometer ] [http://s1.shard.jp/bireba/latest-antivirus.html antivirus+avg ] [http://s1.shard.jp/olharder/auto-el-loan.html system restart automatically ] [http://s1.shard.jp/olharder/ontario-auto-insurance.html automobile registration sticker ] [http://s1.shard.jp/bireba/norton-antivirus.html linux antivirus review ] [http://s1.shard.jp/bireba/innoculate-antivirus.html karspersky antivirus ] [http://s1.shard.jp/frhorton/ony5d5273.html african child labor picture images ] [http://s1.shard.jp/frhorton/c769e8i7o.html african flag picture ] [http://s1.shard.jp/losaul/1999-australian.html husqvarna sewing machines australia ] [http://s1.shard.jp/bireba/download-best-antivirus.html nortun antivirus ] [http://s1.shard.jp/olharder/automobile-sites.html david l lawrence convention center auto show ] [http://s1.shard.jp/bireba/how-to-activate.html panda titanium antivirus 2005 reviews ] [http://s1.shard.jp/frhorton/tiwomyd3z.html the importance of african american divorce ] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus crack code] [http://s1.shard.jp/bireba/antivirus-software.html antivirus download for free ] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/canadian-auto.html automated imaging association ] [http://s1.shard.jp/losaul/map.html cherry keyboards australia ] [http://s1.shard.jp/olharder/automation-home.html automatic water feeder ] [http://s1.shard.jp/frhorton/jp87fttqi.html contemporary african music ] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/bireba/avast-free-antivirus.html avg antivirus 7 crack ] [http://s1.shard.jp/losaul/school-camps.html lamington national park australia ] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/bireba/etrust-antivirus.html types of antivirus software ] [http://s1.shard.jp/olharder/auto-repair-service.html auto repair service new castle pennsylvania] [http://s1.shard.jp/frhorton/xntk9qgnd.html africa visas ] [http://s1.shard.jp/olharder/dacoma-automotive.html approval auto loan ] [http://s1.shard.jp/galeach/new192.html villa lobos fantasia] 
==Metrics Overview==
==Metrics Overview==

Revision as of 07:50, 3 June 2009

Metrics Overview


It's been said that you can't improve what you can't measure. We currently don't have any good metrics for application security. Everyone understands what we want to measure -- how secure is it? But we're really not sure what low-level measurements we should be making, nor do we know how to roll them up into something meaningful for the buyer or user of software.

The difficulty of this problem is essentially the same as determining if there are any loopholes in a legal contract. Like legalese, programming languages are arbitrarily complex. A malicious developer, like a crafty lawyer, will use all their skill to obfuscate their attack.

Direct Metrics

Ideally, we could just measure the software itself. If we could count all the vulnerabilities and determine their likelihood and impact, we'd know how secure it is. Unfortunately, even the best static analysis tools can't come close to doing this. Still, there are things we can measure, and perhaps we can figure out which of these things directly correlate with increased security.

  • How many lines of code?
  • What languages are used?
  • What libraries does this application use (and how)?
  • What type of network access is required (client, server, none)?
  • What security mechanisms are used?
  • What configuration files are associated with the application?
  • How are sensitive assets protected?
  • What vulnerabilities have been identified

Indirect Metrics

If you can't measure the security of software directly, another option is to measure the people, process, and technology that are associated with creating the software in the first place?

  • Is there security documentation (design, test results, vulnerabilities)?
  • Is the documentation accurate and complete?
  • Is there a process for reporting security flaws?
  • Who developed this code (training, experience, background check)?
  • What assurance activities were performed (threat modeling, analysis, code review, test, evaluation)?
  • What was the outcome of those assurance activities?