SlideShare a Scribd company logo

Application Assessment Metrics

SensePost
SensePost

Presentation by Yvette du Toit at ISSA in 2011. This presentation is about application assessment metrics and their challenges. Examples of Sensepost metrics are given.

TechnologyBusiness
1 of 18
Download to read offline
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING PRESENTED BY: Yvette du Toit
Agenda! Agenda! •  Background! •  Background! •  Approach! •  Approach! •  Examples! •  Challenges with •  Examples! Application Security Metrics! •  Challenges with Application Security Metrics! •  Q&A! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Background! •  Background! •  As Security Consultants we write reports! •  Approach! •  Examples! –  Test, analyse, write up findings, submit to client! •  Challenges with •  Issues still remain open – why?! Application Security Metrics! –  Reports not say enough! •  Q&A! –  Question value report offer! •  Solution – metrics / visualisation! –  Graphs, colour, size etc! •  First – letʼs take a look at what reports say…! –  Qualitative ratings! –  Best practice! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! What do Reports Say?! •  Background! •  2007 - 2011! •  Approach! •  Many words….! •  Examples! •  Challenges with •  Content (Exec Summary, Technical Summary, Conclusion)! Application Security Metrics! •  Are actions effective?! •  Q&A! •  What would be more valuable – comparison (time & peers)! •  How do we use metrics?! Pages Words Assessments 638 224587 Re-Tests 137 28164 Total 775 252751 ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Approach! •  Background! •  Metrics – definition! •  Approach! •  Definition! –  Quantifiable! •  Examples! –  Characteristics! •  Challenges with Application Security •  3 Metric Veterans:! Metrics! •  Q&A! –  Jacquith - “those that support decision making about risk for the purpose of managing that risk” ! –  Marty – “a picture paints a thousand log records”! –  Godin: “just because something is easy to measure doesnʼt mean itʼs important”! •  NB: To measure what is important & that will yield “useful” information! –  Examples of metrics not necessarily useful! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Useful?! •  Background! •  Metrics can be misleading! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Useful?! •  Background! •  Metrics are not always 100% useful! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Approach! •  Background! •  Why?: illustrate useful information! •  Approach! –  Recurring issues! •  Introduction! •  Examples! –  Time required to compromise! •  Challenges with –  Top 10 list! Application Security Metrics! –  Effectiveness of remediation! •  Q&A! –  Benchmarking! •  Who? 7 organisations in financial sector! •  When? 3 ½ years! •  How? Data capture process! –  Marco Slaviero (Head of R&D)! –  Spreadsheet for data capture! –  Report meta-data (project length, frameworks, dates etc.)! –  Findings categorised (pre-defined list of vulns)! –  Findings ranked (Impact, EoE, Threat metric)! •  Normalisation ! –  Allows for comparison across time and peers ! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Annual Distribution of Project (Days)! •  Background! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics Proposal! •  Background! •  Metrics extracted from report data:! •  Approach! •  Our Metrics! –  Timelines (plotting projects on timeline)! •  Examples! –  Basic counts and statistics (uncover counts)! •  Challenges with •  Number of projects! Application Security Metrics! •  Number of days! •  Q&A! •  Number of words and pages in report! –  Threat metrics (Findings per threat level)! –  Bug class metrics (Findings across categories) ! –  Top 10 list ! –  Re-Test Metrics! –  Benchmarks (comparison to peers)! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Timelines! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ! "#$%&! '()*&! !"#$%&'()'*++%++#%,-+' ./0' 112304' !"#$%&'()'5%67%+-+' 8/4' 108.2' 7(-9:' 443' 131438' ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Threat Metrics! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Bug Classes! •  Background! •  Useful?! •  Approach! •  Examples! •  See 56% of findings occur in Top 11 bug classes! •  Challenges with Application Security •  2008 Anomaly (No Re-Tests) ! Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Top 10! •  Background! •  Useful? ! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Re-Test! •  Background! •  Useful?! •  Approach! •  Examples! •  29% Critical and 42% High-risk issues remain open ! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Benchmarks! •  Background! •  Useful?! •  Approach! •  Examples! •  Our client positioned 3rd (not highlighted here)! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Challenges! •  Background! •  Bug counts vs bug classes! •  Approach! –  Bug counts – number of findings! •  Examples! •  Challenges with –  Bug classes – categories! Application Security –  2 applications scenario (10 findings 1 bug class vs 1 finding in 10 bug classes)! Metrics! •  Q&A! •  Depth vs breadth! –  Each occurrence – depth! –  Each bug class - breadth! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Q&A! •  Background! •  Thank you! •  Approach! •  Examples! •  Longer paper – mail me! •  Challenges with Application Security •  Email: yvette@sensepost.com! Metrics! •  Q&A! •  Contact: +27 79 509 8913! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING

Recommended

Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
Adrian Munteanu
 

Recommended

Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
Adrian Munteanu
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
Roger Johnston
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
Dinis Cruz
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
Reddappa Gowd Bandi
 
Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metrics
dreamforce2006
 

More Related Content

What's hot

Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
Dinis Cruz
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 

What's hot (20)

Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 

Viewers also liked

Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metrics
dreamforce2006
 
Standard operating procedure
Standard operating procedureStandard operating procedure
Standard operating procedure
UMP
 

Viewers also liked (8)

AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
 
Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metrics
 
Maintenance Metrics
Maintenance MetricsMaintenance Metrics
Maintenance Metrics
 
Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)
 
Application metrics and performance tests (Java)
Application metrics and performance tests (Java)Application metrics and performance tests (Java)
Application metrics and performance tests (Java)
 
Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0
 
Maintenance KPI
Maintenance KPIMaintenance KPI
Maintenance KPI
 
Standard operating procedure
Standard operating procedureStandard operating procedure
Standard operating procedure
 

Similar to Application Assessment Metrics

Mal12 qa tand-automatedtesting
Mal12 qa tand-automatedtestingMal12 qa tand-automatedtesting
Mal12 qa tand-automatedtesting
andytinkham
 
Introduction to bugs measurement
Introduction to bugs measurementIntroduction to bugs measurement
Introduction to bugs measurement
Volodya Novostavsky
 
CHI: evaluation
CHI: evaluationCHI: evaluation
CHI: evaluation
Erik Duval
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 

Similar to Application Assessment Metrics (20)

Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you? Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you?
 
Agile Base Camp - Agile metrics
Agile Base Camp - Agile metricsAgile Base Camp - Agile metrics
Agile Base Camp - Agile metrics
 
Mal12 qa tand-automatedtesting
Mal12 qa tand-automatedtestingMal12 qa tand-automatedtesting
Mal12 qa tand-automatedtesting
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
Research intro
Research introResearch intro
Research intro
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
20110223a Special Report By Central Solutions
20110223a Special Report By Central Solutions20110223a Special Report By Central Solutions
20110223a Special Report By Central Solutions
 
Agile Metrics...That Matter
Agile Metrics...That MatterAgile Metrics...That Matter
Agile Metrics...That Matter
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
 
Introduction to bugs measurement
Introduction to bugs measurementIntroduction to bugs measurement
Introduction to bugs measurement
 
Evaluation of Health IT Implementation
Evaluation of Health IT ImplementationEvaluation of Health IT Implementation
Evaluation of Health IT Implementation
 
Advancing Testing Using Axioms
Advancing Testing Using AxiomsAdvancing Testing Using Axioms
Advancing Testing Using Axioms
 
Session 1
Session 1Session 1
Session 1
 
CHI: evaluation
CHI: evaluationCHI: evaluation
CHI: evaluation
 
New model
New modelNew model
New model
 
A New Model For Testing
A New Model For TestingA New Model For Testing
A New Model For Testing
 
'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015 'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015
 
Software Testing
Software Testing Software Testing
Software Testing
 
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 

More from SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Application Assessment Metrics

  • 1. ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING PRESENTED BY: Yvette du Toit
  • 2. Agenda! Agenda! •  Background! •  Background! •  Approach! •  Approach! •  Examples! •  Challenges with •  Examples! Application Security Metrics! •  Challenges with Application Security Metrics! •  Q&A! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 3. Agenda! Background! •  Background! •  As Security Consultants we write reports! •  Approach! •  Examples! –  Test, analyse, write up findings, submit to client! •  Challenges with •  Issues still remain open – why?! Application Security Metrics! –  Reports not say enough! •  Q&A! –  Question value report offer! •  Solution – metrics / visualisation! –  Graphs, colour, size etc! •  First – letʼs take a look at what reports say…! –  Qualitative ratings! –  Best practice! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 4. Agenda! What do Reports Say?! •  Background! •  2007 - 2011! •  Approach! •  Many words….! •  Examples! •  Challenges with •  Content (Exec Summary, Technical Summary, Conclusion)! Application Security Metrics! •  Are actions effective?! •  Q&A! •  What would be more valuable – comparison (time & peers)! •  How do we use metrics?! Pages Words Assessments 638 224587 Re-Tests 137 28164 Total 775 252751 ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 5. Agenda! Approach! •  Background! •  Metrics – definition! •  Approach! •  Definition! –  Quantifiable! •  Examples! –  Characteristics! •  Challenges with Application Security •  3 Metric Veterans:! Metrics! •  Q&A! –  Jacquith - “those that support decision making about risk for the purpose of managing that risk” ! –  Marty – “a picture paints a thousand log records”! –  Godin: “just because something is easy to measure doesnʼt mean itʼs important”! •  NB: To measure what is important & that will yield “useful” information! –  Examples of metrics not necessarily useful! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 6. Agenda! Useful?! •  Background! •  Metrics can be misleading! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 7. Agenda! Useful?! •  Background! •  Metrics are not always 100% useful! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 8. Agenda! Approach! •  Background! •  Why?: illustrate useful information! •  Approach! –  Recurring issues! •  Introduction! •  Examples! –  Time required to compromise! •  Challenges with –  Top 10 list! Application Security Metrics! –  Effectiveness of remediation! •  Q&A! –  Benchmarking! •  Who? 7 organisations in financial sector! •  When? 3 ½ years! •  How? Data capture process! –  Marco Slaviero (Head of R&D)! –  Spreadsheet for data capture! –  Report meta-data (project length, frameworks, dates etc.)! –  Findings categorised (pre-defined list of vulns)! –  Findings ranked (Impact, EoE, Threat metric)! •  Normalisation ! –  Allows for comparison across time and peers ! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 9. Agenda! Annual Distribution of Project (Days)! •  Background! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 10. Agenda! SensePost Metrics Proposal! •  Background! •  Metrics extracted from report data:! •  Approach! •  Our Metrics! –  Timelines (plotting projects on timeline)! •  Examples! –  Basic counts and statistics (uncover counts)! •  Challenges with •  Number of projects! Application Security Metrics! •  Number of days! •  Q&A! •  Number of words and pages in report! –  Threat metrics (Findings per threat level)! –  Bug class metrics (Findings across categories) ! –  Top 10 list ! –  Re-Test Metrics! –  Benchmarks (comparison to peers)! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 11. Agenda! SensePost Metrics in Action: Timelines! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ! "#$%&! '()*&! !"#$%&'()'*++%++#%,-+' ./0' 112304' !"#$%&'()'5%67%+-+' 8/4' 108.2' 7(-9:' 443' 131438' ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 12. Agenda! SensePost Metrics in Action: Threat Metrics! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 13. Agenda! SensePost Metrics in Action: Bug Classes! •  Background! •  Useful?! •  Approach! •  Examples! •  See 56% of findings occur in Top 11 bug classes! •  Challenges with Application Security •  2008 Anomaly (No Re-Tests) ! Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 14. Agenda! SensePost Metrics in Action: Top 10! •  Background! •  Useful? ! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 15. Agenda! SensePost Metrics in Action: Re-Test! •  Background! •  Useful?! •  Approach! •  Examples! •  29% Critical and 42% High-risk issues remain open ! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 16. Agenda! SensePost Metrics in Action: Benchmarks! •  Background! •  Useful?! •  Approach! •  Examples! •  Our client positioned 3rd (not highlighted here)! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 17. Agenda! Challenges! •  Background! •  Bug counts vs bug classes! •  Approach! –  Bug counts – number of findings! •  Examples! •  Challenges with –  Bug classes – categories! Application Security –  2 applications scenario (10 findings 1 bug class vs 1 finding in 10 bug classes)! Metrics! •  Q&A! •  Depth vs breadth! –  Each occurrence – depth! –  Each bug class - breadth! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 18. Agenda! Q&A! •  Background! •  Thank you! •  Approach! •  Examples! •  Longer paper – mail me! •  Challenges with Application Security •  Email: yvette@sensepost.com! Metrics! •  Q&A! •  Contact: +27 79 509 8913! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING