PASSWD(Prediction of applications and systems securityWithin development)how to create a model that will help in predicting and monitoring the security of an applicationOWASP – Portugal – november 2008Lucilla Mancini – Massimo Biagiottilucilla.email@example.com@business-e.it (blonde secretary)
What exists • Metrics for security programs • Metrics to evalute security level improvement within an organisation • Models and standards to map the security levels within and organisation • “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM • ISECOM(RAV,SCARE),NIST( SAMATE)ecc.
Which are our goals • We want to change the point of view…not only process or code but applications and systems • Most of the existing models start from quality metrics • Most of the existing models look at processes • Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance • Create a model that gives an overall picture of the criticality of an application in a predictive mode • Model the application with security metrics in order to be able to apply an a-priori what-if analysis • Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application • Etc.
SSDLC Production Pre-Production Unit test Development Environment Deployment Application security post deployment KRI control KRI control KRI control
A glance on the idea code code code Usage of models to predict security level of new application under design and development Application test (Pen Test, code review…etc) Check Vulnerabilities (Create/collect Metrics) Security models and Index for architects, Developers and process manager Statistical analysis
How (this is not a timetable) STEP 1: • analyse existing working group in this area, also from other associations to verify the goals and to create links • Check existing studies in this area, to create a strong research base to start from • Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel) • Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency Then….. • Collect data from applications in order to verify the assumptions • Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index