Presentation is loading. Please wait.

Presentation is loading. Please wait.

PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security.

Published byMarian Long Modified over 8 years ago

Similar presentations

Presentation on theme: "PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security."— Presentation transcript:

1 PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security of an application OWASP – Portugal – november 2008 Lucilla Mancini – Massimo Biagiotti lucilla.mancini@business-e.it massimo.biagiotti@business-e.it (blonde secretary) lucilla.mancini@business-e.itmassimo.biagiotti@business-e.it

2 What exists Metrics for security programs Metrics to evalute security level improvement within an organisation Models and standards to map the security levels within and organisation “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM ISECOM(RAV,SCARE),NIST( SAMATE)ecc.

3 Which are our goals We want to change the point of view…not only process or code but applications and systems –Most of the existing models start from quality metrics –Most of the existing models look at processes Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance Create a model that gives an overall picture of the criticality of an application in a predictive mode Model the application with security metrics in order to be able to apply an a-priori what-if analysis Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application Etc.

4 SSDLC KRI control Application security post deployment Unit test Development Environment Deployment Pre-Production Production KRI control

5 code Application test (Pen Test, code review…etc) code Check Vulnerabilities (Create/collect Metrics) Statistical analysis Security models and Index for architects, Developers and process manager Usage of models to predict security level of new application under design and development A glance on the idea

6 How (this is not a timetable) STEP 1: analyse existing working group in this area, also from other associations to verify the goals and to create links Check existing studies in this area, to create a strong research base to start from Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel) Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency Then….. Collect data from applications in order to verify the assumptions Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index

Download ppt "PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security."

Similar presentations

OWASP CLASP Overview.

OWASP CLASP Overview.
NIPEC Development Framework Project (2003 to 2006) Evaluation Report.

NIPEC Development Framework Project (2003 to 2006) Evaluation Report.
The OWASP Foundation OWASP Top Ten in Österreich Florian Brunner these slides are licensed CC-BY-SA based.

The OWASP Foundation OWASP Top Ten in Österreich Florian Brunner these slides are licensed CC-BY-SA based.
Where do we start? What do we have to do? 5 Point Action Plan.

Where do we start? What do we have to do? 5 Point Action Plan.
Role and Place of Statistical Data Analysis and very simple applications Simplified diagram of scientific research When you know the system: Estimation.

Role and Place of Statistical Data Analysis and very simple applications Simplified diagram of scientific research When you know the system: Estimation.
1 Multi-Attribute Risk Assessment Shawn A. Butler Computer Science Department Carnegie Mellon University 16 October 2002.

1 Multi-Attribute Risk Assessment Shawn A. Butler Computer Science Department Carnegie Mellon University 16 October 2002.
Higher Education in the Czech Republic.  A Doctoral Study Programme is focused on academic research or development  Study is organised on the basis.

Higher Education in the Czech Republic.  A Doctoral Study Programme is focused on academic research or development  Study is organised on the basis.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.

1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Introduction to Network Defense

Introduction to Network Defense
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
Software Quality Assurance (SQA) Monitor the methods and standards used during the software development and verify their correct usage. What is Quality?

Software Quality Assurance (SQA) Monitor the methods and standards used during the software development and verify their correct usage. What is Quality?
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management 1.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management 1.
Solution Overview for NIPDEC- CDAP July 15, 2005.

Solution Overview for NIPDEC- CDAP July 15, 2005.
Software Project Management Fifth Edition

Software Project Management Fifth Edition
EOSC Generic Application Security Framework

EOSC Generic Application Security Framework
This project is funded by the EUAnd implemented by a consortium led by MWH Logical Framework and Indicators.

This project is funded by the EUAnd implemented by a consortium led by MWH Logical Framework and Indicators.
OHTO -01 SOFTWARE ENGINEERING SOFTWARE QUALITY Today we talk about software process quality and certification.

OHTO -01 SOFTWARE ENGINEERING SOFTWARE QUALITY Today we talk about software process quality and certification.
Test Organization and Management

Test Organization and Management
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google