Presentation by Yvette du Toit at ISSA in 2011.
This presentation is about application assessment metrics and their challenges. Examples of Sensepost metrics are given.
3. Agenda! Background!
• Background! • As Security Consultants we write reports!
• Approach!
• Examples!
– Test, analyse, write up findings, submit to client!
• Challenges with • Issues still remain open – why?!
Application Security
Metrics! – Reports not say enough!
• Q&A!
– Question value report offer!
• Solution – metrics / visualisation!
– Graphs, colour, size etc!
• First – letʼs take a look at what reports say…!
– Qualitative ratings!
– Best practice!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
4. Agenda! What do Reports Say?!
• Background! • 2007 - 2011!
• Approach! • Many words….!
• Examples!
• Challenges with • Content (Exec Summary, Technical Summary, Conclusion)!
Application Security
Metrics! • Are actions effective?!
• Q&A! • What would be more valuable – comparison (time & peers)!
• How do we use metrics?!
Pages Words
Assessments 638 224587
Re-Tests 137 28164
Total 775 252751
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
5. Agenda! Approach!
• Background! • Metrics – definition!
• Approach!
• Definition!
– Quantifiable!
• Examples! – Characteristics!
• Challenges with
Application Security • 3 Metric Veterans:!
Metrics!
• Q&A! – Jacquith - “those that support decision making about risk for the
purpose of managing that risk” !
– Marty – “a picture paints a thousand log records”!
– Godin: “just because something is easy to measure doesnʼt mean
itʼs important”!
• NB: To measure what is important & that will yield “useful”
information!
– Examples of metrics not necessarily useful!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
6. Agenda! Useful?!
• Background! • Metrics can be misleading!
• Approach!
• Example!
• Examples!
• Challenges with
Application Security
Metrics!
• Q&A!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
7. Agenda! Useful?!
• Background! • Metrics are not always 100% useful!
• Approach!
• Example!
• Examples!
• Challenges with
Application Security
Metrics!
• Q&A!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
8. Agenda! Approach!
• Background! • Why?: illustrate useful information!
• Approach! – Recurring issues!
• Introduction!
• Examples! – Time required to compromise!
• Challenges with – Top 10 list!
Application Security
Metrics! – Effectiveness of remediation!
• Q&A! – Benchmarking!
• Who? 7 organisations in financial sector!
• When? 3 ½ years!
• How? Data capture process!
– Marco Slaviero (Head of R&D)!
– Spreadsheet for data capture!
– Report meta-data (project length, frameworks, dates etc.)!
– Findings categorised (pre-defined list of vulns)!
– Findings ranked (Impact, EoE, Threat metric)!
• Normalisation !
– Allows for comparison across time and peers !
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
9. Agenda! Annual Distribution of Project (Days)!
• Background!
• Approach!
• Examples!
• Challenges with
Application Security
Metrics!
• Q&A!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
10. Agenda! SensePost Metrics Proposal!
• Background! • Metrics extracted from report data:!
• Approach!
• Our Metrics!
– Timelines (plotting projects on timeline)!
• Examples! – Basic counts and statistics (uncover counts)!
• Challenges with
• Number of projects!
Application Security
Metrics! • Number of days!
• Q&A! • Number of words and pages in report!
– Threat metrics (Findings per threat level)!
– Bug class metrics (Findings across categories) !
– Top 10 list !
– Re-Test Metrics!
– Benchmarks (comparison to peers)!
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING