Magic Numbers. An In-Depth Guide to the 5 Key Performance Indicators for Web Application Security. Rafal Los HP Web Application Security Evangelist

Similar documents
Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Application Security Center

Delivering Cost Effective IT Services

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

Table of contents. Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability

Business white paper. Best practices for implementing automated functional testing solutions

"Practical Security Testing for Web Applications"

10 Best Practices for Application Performance Testing

Application Test Management and Quality Assurance

SUSTAINING COMPETITIVE DIFFERENTIATION

White Paper. Software Development Best Practices: Enterprise Code Portal

Requirements-Based Testing: Encourage Collaboration Through Traceability

Support the Era of the App with End-to-End Network and Application Performance Visibility

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

How SAP Business Intelligence Solutions provide real-time insight into your organization

IBM SECURITY QRADAR INCIDENT FORENSICS

WHITE PAPER Analytics for digital retail

Implement a unified approach to service quality management.

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

How to measure your business resiliency

Thinking about APM? 4 key considerations for buy vs. build your own

Enterprise Application Security Program

Measuring Performance

Find the intruders using correlation and context Ofer Shezaf

Obtaining Enterprise Cybersituational

Making Reporting Relevant - Automating capacity scorecards in Microsoft Excel

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

HP Fortify application security

Vulnerability Management

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

Armanino LLP Welcomes You To Today s Webinar:

How To Manage Security On A Networked Computer System

HP ALM11 & MS VS/TFS2010

Overview, Goals, & Introductions

Manage projects effectively

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Senior Business Intelligence/Engineering Analyst

KnoahSoft Harmony TM Suite. Because Not All Agents are Created Equal

Analytics-driven Workforce Optimization

An Introduction to. Metrics. used during. Software Development

Advanced Solutions. Uniformance Suite. Real-time Digital Intelligence Through Unified Data, Analytics and Visualization

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

ALM120 Application Lifecycle Management 11.5 Essentials

Building Security into the Software Life Cycle

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Enterprise Business Service Management

Workforce Optimization

Webinar. Feb

HP and netforensics Security Information Management solutions. Business blueprint

THE TOP 4 CONTROLS.

HP Fortify Software Security Center

HP Service Health Analyzer: Decoding the DNA of IT performance problems

Introduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Loss Prevention Data Mining Using big data, predictive and prescriptive analytics to enpower loss prevention

Qlik s Associative Model

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

Root Cause Analysis Concepts and Best Practices for IT Problem Managers

ISTQB Certified Tester. Foundation Level. Sample Exam 1

Data Visualization Choices

Creating a Business Intelligence Competency Center to Accelerate Healthcare Performance Improvement

Business Intelligence in SharePoint 2013

Improving Visibility into your Vulnerability Management Program

Attack Intelligence: Why It Matters

Getting it Right: How to Find the Right BI Package for the Right Situation Norma Waugh. RMOUG Training Days February 15-17, 2011

Introduction to Business Intelligence

Big Data Analytics- Innovations at the Edge

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

How to Build a Trusted Application. John Dickson, CISSP

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

WHY IT ORGANIZATIONS CAN T LIVE WITHOUT QLIKVIEW

Implementing Business Intelligence at Indiana University Using Microsoft BI Tools

Requirements Management im Kontext von DevOps

Pragmatic Metrics for Building Security Dashboards

Increasing Business Efficiency and Agility for ATGbased. Systems. the business challenge: upgrading the development pipeline

The Power of Installed-Base Intelligence: Using Quality Data and Meaningful Analysis to Drive Service Revenue WHITE PAPER

7. Key performance indicators (KPIs)

Web Application security testing: who tests the test?

Transcription:

Magic Numbers An In-Depth Guide to the 5 Key Performance Indicators for Web Application Security Rafal Los HP Web Application Security Evangelist Version 3.2 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Proceedings 1 Background 2 Essential KPIs 3 Applications 4 Practical Understand the need for business-level intelligence Identify essential KPIs, their definitions, components Applying the 5 Essential KPIs to Enterprise Programs A practical example of real-life application of KPIs 2

Background Metrics, KPIs, and Information Security 3

Security Metrics Primer INFORMATION SECURITY HAS HAD A ROUGH RELATIONSHIP WITH METRICS Three core issues with metrics in security: 1.Very little actuarial data to support initiatives Virtually no data supporting likelihood of being successfully attacked 2.Incorrect, hasty use of metrics as intelligence Vulnerabilities being used as risks Metrics math without context 3. It hasn t happened to me being used as a metric Many victims don t know, or won t admit it 4

Information Security hasn t capitalized on available metrics can KPIs save the day? 5

KPI Primer A key performance indicator (KPI) is a measure of performance, commonly used to help an organization define and evaluate how successful it is, typically in terms of making progress towards its long-term organizational goals. 6

KPI Primer A key performance indicator (KPI) is a measure of performance, commonly used to help an organization define and evaluate how successful it is, typically in terms of making progress towards its long-term organizational goals. 7

Business vs. IT Goals Business Goals IT Security Goals [Web App Sec] Test 100% web applications What are Business Goals? Zero vulnerabilities in production web applications SDLC-integrated security processes Continual environment scanning for new vulnerabilities Developer education & training Automate testing & compliance 8

Business thinks in terms of risk. Risk is bad, seen in shades of gray. Web application vulnerabilities contribute to IT risk IT risk is a factor of overall business risk Business goal: Reduce IT risk to acceptable level. Mindset reset 9

Tough Questions Will it be possible to perform an analysis of 100% of enterprise web applications? Will a zero vulnerability metric be reachable, practical or even desirable? Is vulnerability reduction the same as risk reduction? 10

Enterprise Application Security Program Challenges Challenges Get funded Justify required resources Find vulnerabilities Bugs in business critical apps Removing defects Decrease risks with a budget Proving success How do you prove success? Resources Security vulnerability metrics Application registries Defect tracking systems Data from tools, human testing 11

Essential KPIs Proving Success with Advanced Metrics 12

The 5 Key Performance Indicators (KPIs) WRT Weighted Risk Trend DRW Defect Remediation Window RDR Rate of Defect Recurrence SCM Specific Coverage Metric SQR Security to Quality defect Ratio KPIs provide business-level context to security-generated data KPIs answer the so what? question Each additional KPI indicates a step forward in program maturity None of these KPIs draw strictly from security data 13

KPI #1 Weighted Risk Trend Maturity Rank: 1 A business-based representation of risk from vetted web application security defects over a specified time-period, or repeated iterations of application development. Formula: [(Multiplier critical x defects) + (Multiplier high x defects) + (Multiplier medium x defects) + (Multiplier low x defects)] x *Criticality business Requirements Web application registry with business-level criticality assigned *Pull business criticality rating from DR documents Vetted web applications security defects by criticality level Mathematic plot capability 14

KPI #2 Defect Remediation Window Maturity Rank: 2 The length of time from when a vetted web application security defect is identified until it is verified closed. Requirements Defect tracking system, tracking web application security vulnerabilities in development, testing, and production environments Self-service testing, bug tracking, and reporting capabilities Cooperative security enablement thru development, QA, OPS teams 50 40 30 20 10 0 Man-Hours 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 15

KPI #3 Rate of Defect Recurrence Maturity Rank: 3 The rate, over time, at which previously closed web application security defects are re-introduced into a given application, organization, or other logical unit. Requirements Advanced defect tracking system Advanced web application security testing capabilities Capabilities to identify similar or like defects across an application or logical trackable unit 15 10 5 0 Recurring Defects 1 2 3 4 5 6 7 8 9 10 16

KPI #4 Specific Coverage Metric Maturity Rank: 4 The flow-based or component-based coverage of total functionality that web application security testing has achieved. Total functionality = known functionality + discovered functionality* Requirements Method for measuring total application surface (UI, API, code-level coverage methods) plus *advanced application discovery tools Advanced security testing capabilities using flow-based, data-driven methodology for completeness Integration with Quality Assurance for functional specification coverage 17

KPI #5 Security to Quality Defect Ratio Maturity Rank: 4 The ratio of security defects to the total number of software quality defects being generated (functional + performance + security). Formula: defects D s D t D s = Total Security defects; D t = Total Overall Quality Requirements Mature defect reporting system (tracking combined quality defects) Security as a quality defect Performance as a quality defect Functional (+related) as a quality defect Tight cooperation of Information Security & Quality Assurance 18

KPI Facts KPI: WRT KPI: DRW KPI: RDR Metric is best graphed Risk trend will decrease over time similar to 1 / x Each defect criticality must have a non-linear factor assigned Critical = 10 High = 5 Medium = 2 Low = 1 Application business criticality must be rigidly defined Business critical Critical Important #1 most critical KPI DRW will be potentially very large at first Critical to shrink this metric as quickly as possible Can be used to target education where needed Important to note type of defect remediated (complex defects take longer to fix) Reappearing defects measure internal development confusion Recurring defects should prompt a systemic investigation into rootcause Critical for identifying poorly-run development organizations 19

KPI Facts KPI: SCM Most difficult KPI to achieve Most organizations cannot identify even known attack surface coverage Flow-driven & data-driven methodology is required to fully test known attack surface Exploratory testing required to discover unknown functionality KPI: SQR Final step in organizational maturity with respect to security testing Demonstrates security adoption as a component of overall software quality 20

Applications Applying the KPIs 21

Applying KPIs to Web Application Security Programs What You Have What You Want

Failures of Common Metrics Common Metrics Failure Mode(s) Options? 1. Number of vulnerabilities found 2. Number of pages scanned/tested 3. Critical vulnerabilities found 4. Critical vulnerabilities fixed 1. So what? No context! 2. So what? Do pages matter? 3. Business-critical? Or IT-critical? Or? 4. Business-critical? Or IT-critical? Or? Business Context. KPIs provide business context to standard metrics reporting practices. 23

When Metrics Aren t Enough Objective Conclusively prove that risk is being reduced through program effort Remove subjectivity of metrics by providing business context Bring IT Security into higher-level business discussion Unify testing methodologies KPIs Answer Combine metrics with business-level context Provide direct feedback to the business to target ongoing effort Track program effectiveness including education, corporate remediation strategies Consolidate technical metrics into businesslevel dashboards Successfully break the security silo 24

Practical Real-life KPI use-case 25

Example Application the large financial Current Situation Complaints 1,500 web applications Security testing some web applications preproduction Difficult to halt critical applications Metrics collected, reported ad-hoc (per test) No way to prioritize effort Difficult to demonstrate if program spend is making a positive impact Impossible to have business-level conversation on security vulnerabilities in go-live applications No way of knowing what actual coverage is being achieved by security testing Result: Business down-plays security s role 26

Example Application the large financial Applied KPI Weighted Risk Trend (WRT) Application registry + business ranking to prioritize application testing Business context to go/no-go decisions for critical defects Demonstrate risk reduction in business-critical applications over time Demonstrate program spend effectiveness Applied KPI Defect Remediation Window (DRW) Produce baseline for defect remediation times Implement program plan to prevent security defects from making it to production Demonstrate program effectiveness by shrinking remediation window(s) 27

350 300 Vulnerability reduction, without business context 250 More vulnerabilities = more risk? 200 150 100 50 0 28 1 2 3 4 5 6 7 8 9 10 11 12

350 300 Vulnerability reduction, with business context 250 App criticality + defects = more risk 200 ERP Retail 150 Marketing 100 50 0 29 1 2 3 4 5 6 7 8 9 10 11 12

Example Application the large financial KPIs mean measurable gains Break the security silo Improve security team s posture in the business Apply business context to measure risk Make key go/no-go decisions intelligently with business support 30

Data is raw information Metrics are refined data KPIs are metrics with business-context Business context makes security relevant. 31

The 5 Key Performance Indicators (KPIs) WRT Weighted Risk Trend DRW Defect Remediation Window RDR Rate of Defect Recurrence SCM Specific Coverage Metric SQR Security to Quality defect Ratio KPIs are the difference between technical data points, and the actionable intelligence that information security needs. 32

Rafal Los - Security Evangelist, HP Email: Rafal@HP.com Direct: +1 (404) 606-6056 Twitter: Twitter.com/Wh1t3Rabbit Blog: HP.com/go/White-Rabbit 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information