PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security.

Slides:



Advertisements
Similar presentations
OWASP CLASP Overview.
Advertisements

NIPEC Development Framework Project (2003 to 2006) Evaluation Report.
The OWASP Foundation OWASP Top Ten in Österreich Florian Brunner these slides are licensed CC-BY-SA based.
Where do we start? What do we have to do? 5 Point Action Plan.
Role and Place of Statistical Data Analysis and very simple applications Simplified diagram of scientific research When you know the system: Estimation.
1 Multi-Attribute Risk Assessment Shawn A. Butler Computer Science Department Carnegie Mellon University 16 October 2002.
Higher Education in the Czech Republic.  A Doctoral Study Programme is focused on academic research or development  Study is organised on the basis.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Introduction to Network Defense
Effectively applying ISO9001:2000 clauses 5 and 8
Software Quality Assurance (SQA) Monitor the methods and standards used during the software development and verify their correct usage. What is Quality?
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management 1.
Solution Overview for NIPDEC- CDAP July 15, 2005.
Software Project Management Fifth Edition
EOSC Generic Application Security Framework
This project is funded by the EUAnd implemented by a consortium led by MWH Logical Framework and Indicators.
OHTO -01 SOFTWARE ENGINEERING SOFTWARE QUALITY Today we talk about software process quality and certification.
Test Organization and Management
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Testing – A Methodology of Science and Art. Agenda To show, A global Test Process which work Like a solution Black Box for an Software Implementation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
UNEP Training Resource Manual Topic 11 Slide 1 Aims of EIA implementation and follow up are to: F carry out conditions of approval F ensure they work effectively.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Website Organization Knowing how it all fits together Having overall picture of site Determine holes in design or poorly structured pages For most, Organization.
Principles on evaluating FIWARE relevance for Phase 3 proposals.
University of Sunderland CIFM03Lecture 2 1 Quality Management of IT CIFM03 Lecture 2.
Top Down View of Estimation Test Managers Forum 25 th April 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Dependency-Check
Environment Change Information Request Change Definition has subtype of Business Case based upon ConceptPopulation Gives context for Statistical Program.
Introduction Macerata, 15 th October Alessandro Valenza, Director, t33 srl.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Confidential 1 Supply Chain Risk Management Framework Supply Chain Risk Leadership Council Zurich Case Study 30 January 2008 Confidential – Do Not Forward.
European Conference on Quality in Official Statistics Session 26: Census 2011 « Helsinki, 6 May 2010 « Census quality control with BSC: the Portuguese.
Service Level Management SLM Concepts Explained Copyright 2002 Easytec Solutions.
How much risk are we willing to take. Collect info Perform risk Final SPI plan More time available Yes Plan SPI activities assessment Acceptable risk.
Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
E-commerce COM380 E-commerce Lecture 10 Analysis and maintenance.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
by: Er. Manu Bansal Deptt of IT Software Quality Assurance.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
CMGT 411 Week 4 DQ 3 What is the definition of metrics? What metrics are used within an organization to monitor and report on organizational security?
CMGT 411 Week 5 DQ 2 What metrics are used within your organization to monitor and report on organizational security? Check this A+ tutorial guideline.
Project Management PTM721S
Risk Assessment Considerations
USER ADOPTION MONITOR Track and Evaluate Adoption of Dynamics 365/CRM
Chapter 10 Software Quality Assurance& Test Plan Software Testing
Food Balance Sheets Involvement of FAO Statistics Division (ESS) in the Food Security and SDGs Framework.
DT249/4 Information Systems Engineering Lecture 0
UNIT-6 SOFTWARE QUALITY ASSURANCE
Managing Quality, Innovation and Knowledge
Online Reading Lists: Winning Over The Business School
Data collection with Internet
Software Assurance Maturity Model
INTRODUCTION TO THE BRIDGE INSPECTION AND MAINTENANCE SYSTEM (BIM)
Getting benefits of OWASP ASVS at initial phases
ROLE OF RESEARCHER (Stake, 1995)
Lesson 3.8 – Mind Mapping To improve performance
Data collection with Internet
Huddle Boards High-level Overview Let’s review a HUDDLE BOARD…
AF1 Thinking scientifically
How To Identify and Reduce Business Risk
Data collection with Internet
{Project Name} Organizational Chart, Roles and Responsibilities
Data collection with Internet
Best Practices in Higher Education Student Data Warehousing Forum
Presentation transcript:

PASSWD ( Prediction of applications and systems security Within development ) how to create a model that will help in predicting and monitoring the security of an application OWASP – Portugal – november 2008 Lucilla Mancini – Massimo Biagiotti (blonde secretary)

What exists Metrics for security programs Metrics to evalute security level improvement within an organisation Models and standards to map the security levels within and organisation “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM ISECOM(RAV,SCARE),NIST( SAMATE)ecc.

Which are our goals We want to change the point of view…not only process or code but applications and systems –Most of the existing models start from quality metrics –Most of the existing models look at processes Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance Create a model that gives an overall picture of the criticality of an application in a predictive mode Model the application with security metrics in order to be able to apply an a-priori what-if analysis Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application Etc.

SSDLC KRI control Application security post deployment Unit test Development Environment Deployment Pre-Production Production KRI control

code Application test (Pen Test, code review…etc) code Check Vulnerabilities (Create/collect Metrics) Statistical analysis Security models and Index for architects, Developers and process manager Usage of models to predict security level of new application under design and development A glance on the idea

How (this is not a timetable) STEP 1: analyse existing working group in this area, also from other associations to verify the goals and to create links Check existing studies in this area, to create a strong research base to start from Collect and enumerate all the existing metrics in security (application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel) Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency Then….. Collect data from applications in order to verify the assumptions Define a first set of metrics that will allow to measure and evaluate security levels, in order to create a model for a security index

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.