Metrics, methods and tools to measure trustworthiness



Similar documents
Metrics, Methods and Tools to Measure Security and Trustworthiness. Measuring trustworthiness

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Learning objectives for today s session

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Security Testing for Web Applications and Network Resources. (Banking).

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

ESKISP Manage security testing

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

ASE STUDY. Performance Testing & Security Testing for Web Applications.

A clustering Approach for Web Vulnerabilities Detection

WebGoat for testing your Application Security tools

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

HP Fortify application security

Application Security Testing as a Foundation for Secure DevOps

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

Integrating Tools Into the SDLC

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Securing PHP Based Web Application Using Vulnerability Injection

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Trust and Dependability in Cloud Computing

How To Manage Cloud Data Safely

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

F5 Silverline Web Application Firewall Onboarding: Technical Note

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Baseline: Metrics for setting a baseline for web vulnerability scanners

THE BENEFITS OF UNDERSTANDING TROUBLESHOOTING AND TUNING FOR ACUNETIX WEB VULNERABILITY SCANNING

Dynamic Trust Management for the Internet of Things Applications

GSBI Social Enterprise Stage Assessment Tool

Think like an MBA not a CISSP

HP Application Security Center

MOBILE MALWARE REPORT

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Software Engineering Compiled By: Roshani Ghimire Page 1

Analyzing the Accuracy and Time Costs of Web Application Security Scanners

Protecting Database Centric Web Services against SQL/XPath Injection Attacks

HKITPC Competency Definition

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

HP Fortify Software Security Center

Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

Building Security Into The Software Life Cycle

Application Code Development Standards

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Cloud Security Specialist Certification Self-Study Kit Bundle

Penetration Testing Tools

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Background. HSBC DOD VA Masters in Computer Science Somerset Recon. Avid CTF Competitor

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Reflective Summary Project Risk Management. Anthony Bowen. Northcentral University

Agile and Secure: Can We Be Both?

Penetration Testing Service. By Comsec Information Security Consulting

Network Security: A Critical Component to Any Business IT Plan.

CHAPTER - 4: QUALITY STANDARDS: THE MISSED OPPORTUNITIES

Web Application Security Roadmap

Automatic vs. Manual Code Analysis

Certified Information Security Manager (CISM)

New IBM Security Scanning Software Protects Businesses From Hackers

SOFTWARE TESTING PROCESSES PRESENTATION

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

Risk-Informed Security: Summary of Three Workshops

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Web Applications The Hacker s New Target

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

Blind SQL Injection Are your web applications vulnerable?

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Information Technology Strategic Plan

Risk and Security Assessment. Zbigniew Kalbarczyk

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Transcription:

Metrics, methods and tools to measure trustworthiness Henrique Madeira AMBER Coordination Action University of Coimbra March 9 th, 2009 1

Measuring trustworthiness Trustworthy ICT should be: Secure Dependable Resilient to attacks, operational faults and changes Quite different types of animals Require different metrics, methods and tools 2

Measuring trustworthiness Trustworthy ICT should be: Secure Dependable Resilient Measuring, assessing, and benchmarking dependability and resilience is far from being solved to attacks, operational faults and changes Measuring, assessing and benchmarking security is even harder 3

What we have in mind when we talk about security measuring? Qualitative and quantitative measurements Quantitative measurement in two flavors: Relative sense (benchmarking), to choose among alternatives Absolute sense, to give guaranties to users Predictive value At different levels Organizational measurements: measure effectiveness of organizational processes Technical measurements: assess/compare technical objects Operational measurements: produced as a part of normal operations Throughout systems lifecycle 4

Limitations of existing security measuring methods? In general, are focused on specific aspects of security. Lots of useful methods that help improving security, but none of them can quantify security. Methods based on process guidelines and best practices Red Teams, that may be effective in finding problems Formal methods fail proving absolute security in realistic scenarios, although useful to find problems Vulnerability detection approaches Etc Lack of predictive metrics and methods. Organizational-level and technical security metrics are not integrated to provide a comprehensive view 5

Challenge 1 Metrics, methods, and tools Appropriate security metrics? Methods for estimating security metrics Which metrics? Just a small number? Specific of a given context? Metrics purpose (related Effective to evaluation requirements)? tools Metrics at different levels: component, system, infrastructure, organization, Product oriented and process oriented Applied throughout the system lifecycle Metric composition, namely how to relate organizational and technical security metrics. 6

Challenge 1 Metrics, methods, and tools Appropriate security metrics? Methods for estimating security metrics Effective evaluation tools Which methods? Formal, experimental, risk assessment, threat & vulnerability assessment, Should be both model and experimentally based 7

Challenge 1 Metrics, methods, and tools Example of benchmarking vulnerability scanners tools Appropriate security metrics? Methods for estimating security metrics Effective evaluation 3tools Vulnerability Scanner 3 Effective tools that can be used by practitioners (detected 73/117) Vulnerability Scanner 1 (detected 51/117) 2 6 1 7 0 1 6 1 Integration of different tools in a toolset, including tools Vulnerability for organizational Scanner 1 = Acunetix and Web technical Vulnerability metrics Scanner 4 Vulnerability Scanner 2 = Watchfire AppScan 7 (aquired by IBM) Vulnerability Scanner 3 = Spi Dynamics WebInspect 6.32 (aquired by HP) 3 7 1 7 Detected by manual scanning only Vulnerability Scanner 2 (detected 27/117) 8 8

Challenge 2 Validation Properties Representativeness Repeatability Reproducibility Portability Scalability Generalization Just being pragmatic is enough? 9

Challenge 3 Impact and relevance How to select the challenges and research problems that maximize the impact of research outcomes? Metrics that promote security improvement User view Industry Metrics that show the return on investment Regulation policy Benchmarking 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information