1 / 6

What exists

athena-wilkins
Télécharger la présentation

What exists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PASSWD(Prediction of applications and systems securityWithin development)how to create a model that will help in predicting and monitoring the security of an applicationOWASP – Portugal – november 2008Lucilla Mancini – Massimo Biagiottilucilla.mancini@business-e.itmassimo.biagiotti@business-e.it (blonde secretary)

  2. What exists • Metrics for security programs • Metrics to evalute security level improvement within an organisation • Models and standards to map the security levels within and organisation • “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM • ISECOM(RAV,SCARE),NIST( SAMATE)ecc.

  3. Which are our goals • We want to change the point of view…not only process or code but applications and systems • Most of the existing models start from quality metrics • Most of the existing models look at processes • Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance • Create a model that gives an overall picture of the criticality of an application in a predictive mode • Model the application with security metrics in order to be able to apply an a-priori what-if analysis • Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application • Etc.

  4. SSDLC Production Pre-Production Unit test Development Environment Deployment Application security post deployment KRI control KRI control KRI control

  5. A glance on the idea code code code Usage of models to predict security level of new application under design and development Application test (Pen Test, code review…etc) Check Vulnerabilities (Create/collect Metrics) Security models and Index for architects, Developers and process manager Statistical analysis

  6. How (this is not a timetable) STEP 1: • analyse existing working group in this area, also from other associations to verify the goals and to create links • Check existing studies in this area, to create a strong research base to start from • Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel) • Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency Then….. • Collect data from applications in order to verify the assumptions • Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index

More Related