What exists

6
PASSWD (Prediction of applications and systems security Within development) how to create a model that will help in predicting and monitoring the security of an application OWASP – Portugal – november 2008 Lucilla Mancini – Massimo Biagiotti [email protected] [email protected] (blonde secretary)

description

- PowerPoint PPT Presentation

Transcript of What exists

Page 1: What exists

PASSWD(Prediction of applications and systems

securityWithin development)

how to create a model that will help in predicting and monitoring the security of an application

OWASP – Portugal – november 2008Lucilla Mancini – Massimo Biagiotti

[email protected] [email protected] (blonde secretary)

mailto:[email protected]
mailto:[email protected]
Page 2: What exists

What exists

• Metrics for security programs

• Metrics to evalute security level improvement within an organisation

• Models and standards to map the security levels within and organisation

• “Improvement programs” for security, based on models like SPICE (ISO15504) or CMM

• ISECOM(RAV,SCARE),NIST( SAMATE)ecc.

Page 3: What exists

Which are our goals• We want to change the point of view…not only process or code

but applications and systems– Most of the existing models start from quality metrics– Most of the existing models look at processes

• Set up a set of metrics both objective and subjective that allow the evaluation of the security level of an application or a system in terms of level of risk acceptance

• Create a model that gives an overall picture of the criticality of an application in a predictive mode

• Model the application with security metrics in order to be able to apply an a-priori what-if analysis

• Create a set of metrics to be able to predict in terms of risk acceptance the security of new development components within an existing application

• Etc.

Page 4: What exists

SSDLC

KRI control

Application security post deployment

Unit testDevelopment Environment

Deployment Pre-Production Production

KRI control KRI control

Page 5: What exists

code

Application test(Pen Test, code review…etc)

codecode

Check Vulnerabilities(Create/collect Metrics)

Statistical analysis

Security models and Index for architects, Developers and process manager

Usage of models to predict security level of new application under design and development

A glance on the idea

Page 6: What exists

How (this is not a timetable)STEP 1: • analyse existing working group in this area, also from other

associations to verify the goals and to create links• Check existing studies in this area, to create a strong research base

to start from• Collect and enumerate all the existing metrics in security

(application and process) in order to have a complete view of what can be used (we do not want to reinvent the wheel)

• Analyse and evaluate the most common application vulnerabilities (i.e. OWASP top ten) in terms of their frequency

Then…..• Collect data from applications in order to verify the assumptions• Define a first set of metrics that will allow to measure and evaluate

security levels, in order to create a model for a security index


What Exists for the Vaiœešika? - Piotr Balcerowicz · WHAT EXISTS FOR THE VAIŒEŠIKA? 251 1.2. Other examples of the knowability thesis Praœastapâda was not unique in the tradition

What Exists for the Vaiœešika? - Piotr Balcerowicz · WHAT EXISTS FOR THE VAIŒEŠIKA? 251 1.2. Other examples of the knowability thesis Praœastapâda was not unique in the tradition

Defining the present climate: Why does it matter? What help exists?

Defining the present climate: Why does it matter? What help exists?

Why? - utcrops.com Mid TN - Implementing variabl… · Why? How? What? • WHY – Field variability exists • HOW – Assess spatial variability • WHAT – Variable rate applications

Why? - utcrops.com Mid TN - Implementing variabl… · Why? How? What? • WHY – Field variability exists • HOW – Assess spatial variability • WHAT – Variable rate applications

What is the Universe?. The Universe is everything that exists.

What is the Universe?. The Universe is everything that exists.

What Evidence of Glaciation Exists in the Great Lakes Region?

What Evidence of Glaciation Exists in the Great Lakes Region?

PowerPoint Presentation · Literature analysis •Identify suitable approaches •How could these be used Understanding business needs and opportunities •What data exists •What

PowerPoint Presentation · Literature analysis •Identify suitable approaches •How could these be used Understanding business needs and opportunities •What data exists •What

User Exists

User Exists

Industry Standards - What else exists beside CDISC

Industry Standards - What else exists beside CDISC

1 The Problem of Evil God is OMNIPOTENT God is OMNIPOTENT God is ALL LOVING God is ALL LOVING EVIL EXISTS EVIL EXISTS What is the problem? What is the.

1 The Problem of Evil God is OMNIPOTENT God is OMNIPOTENT God is ALL LOVING God is ALL LOVING EVIL EXISTS EVIL EXISTS What is the problem? What is the.

Creation Apologetics Dr. Heinz Lycklama heinz@osta.com “What I see convinces me God exists. What I cannot see, confirms it.”

Creation Apologetics Dr. Heinz Lycklama [email protected] “What I see convinces me God exists. What I cannot see, confirms it.”

1. What do we mean by "paleoclimate"? 2. What evidence exists for ice ages and ancient climate change? 3. What causes the climate to change? What we wish.

1. What do we mean by "paleoclimate"? 2. What evidence exists for ice ages and ancient climate change? 3. What causes the climate to change? What we wish.

“Children can only aspire to what they know exists.” Graus.pdf · o “Children can only aspire to what they know exists ... Thandeka Tutu-Gxashe CEO - TutuDesk Campaign Charles

“Children can only aspire to what they know exists.” Graus.pdf · o “Children can only aspire to what they know exists ... Thandeka Tutu-Gxashe CEO - TutuDesk Campaign Charles

What is the Rule of Recognition and Does It Exists

What is the Rule of Recognition and Does It Exists

ECO R European Centre for Ontological Research Formal Ontology and Electronic Healthcare Records: what exists... what happened... what has been recorded...

ECO R European Centre for Ontological Research Formal Ontology and Electronic Healthcare Records: what exists... what happened... what has been recorded...

Progressive Think Tanks What Exists, What’s Missing?mediatrackers.org/wp-content/uploads/2014/03/OpenSociety... · Progressive Think Tanks What Exists, ... in the progressive world

Progressive Think Tanks What Exists, What’s Missing?mediatrackers.org/wp-content/uploads/2014/03/OpenSociety... · Progressive Think Tanks What Exists, ... in the progressive world

What Common Ground Exists for Descriptive, Prescriptive, and

What Common Ground Exists for Descriptive, Prescriptive, and

Discover what exists with Ontology2

Discover what exists with Ontology2

Evolution of OPNFV CI System: What already exists and what can be introduced

Evolution of OPNFV CI System: What already exists and what can be introduced

Unit IIIUnit IIIUnit III Do you think that what exists ...ncert.nic.in/textbook/pdf/legy206.pdf · Chapter 6 WATER RESOURCES Do you think that what exists today will continue to be

Unit IIIUnit IIIUnit III Do you think that what exists ...ncert.nic.in/textbook/pdf/legy206.pdf · Chapter 6 WATER RESOURCES Do you think that what exists today will continue to be

Ontology (or Metaphysics) What exists? What is? What’s real?

Ontology (or Metaphysics) What exists? What is? What’s real?