“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

Slides:

Advertisements

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Advertisements

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

G. Alonso, D. Kossmann Systems Group

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Designing classes How to write classes in a way that they are easily understandable, maintainable and reusable 4.0.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Hypothesis Tests for Means The context “Statistical significance” Hypothesis tests and confidence intervals The steps Hypothesis Test statistic Distribution.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

WHAT IS CLOUD COMPUTING? PRESENTED BY BRIAN DUKE, RISHI SINGH & JOSE CERVANTES.

Windows 2000 is a continuation of the Microsoft Windows NT family of operating systems, replacing Windows NT 4.0. Originally called Windows NT 5.0, then.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Reverse Benchmarking -- Tom Stracener, Sr. Security Analyst, Cenzic Inc. Toorcon 9.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Chapter 11 Databases.

Web Server Administration Chapter 10 Securing the Web Environment.

Software Engineering Modern Approaches

Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

SWE 316: Software Design and Architecture – Dr. Khalid Aljasser Objectives Lecture 11 : Frameworks SWE 316: Software Design and Architecture  To understand.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

CMS Security Justin Klein Keane CMS Working Group March 3, 2010.

Accelerating Development Using Open Source Software Black Duck Software Company Presentation.

Open Source and IP Telephony: Myth Busters, Best Practices and Real Life Application in the Contact Center Kelly Duerr, Senior Product Manager Tom Chamberlain,

SECURITY ENGINEERING 2 April 2013 William W. McMillan.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Chapter 14 Part II: Architectural Adaptation BY: AARON MCKAY.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Massive Stochastic Testing of SQL Don Slutz Microsoft Research Presented By Manan Shah.

Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

Sullivan – Fundamentals of Statistics – 2 nd Edition – Chapter 10 Section 1 – Slide 1 of 34 Chapter 10 Section 1 The Language of Hypothesis Testing.

Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Rick Segal CEO Fixmo, Inc.. The Starting Point The Mobile Device is the most personal computer you will ever own.The Mobile Device is the most personal.

Broadband Data Quality: Issues for random digit dial surveys Progress & Freedom Foundation and Center for Public Integrity workshop John B. Horrigan Associate.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.

Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.

Chapter 8 Parameter Estimates and Hypothesis Testing.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Review of Statistics.  Estimation of the Population Mean  Hypothesis Testing  Confidence Intervals  Comparing Means from Different Populations  Scatterplots.

Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.

PRESENTERS: AMOL KOKJE, STEVEN OSBURN, SUNIT VERMA, TOSHA SHAH, KALP PARIKH Vetting Mobile Apps.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.

Security in Opened versus Closed Systems – The Dance of Boltzmann, Coase and Moore Presented By Chad Frommeyer.

Presented by Edith Ngai MPhil Term 3 Presentation

Password Management Limit login attempts Encrypt your passwords

MANAGING APPLICATION SECURITY

Internet of Things Vulnerabilities

Ransomware in Web Apps OWASP Singapore.

ONLINE SECURE DATA SERVICE

White Box testing & Inspections

Collaborative Security: Securing Open Source Software

Presentation transcript:

“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

webMethods Proprietary 2 INTEGRATE. ASSEMBLE. OPTIMIZE. The problem… We’re spending all our time arguing about which statistics we should gather Instead, we should gather all the numbers we can, and then figure out which ones matter

webMethods Proprietary 3 INTEGRATE. ASSEMBLE. OPTIMIZE. Some metrics we can gather today Lines of code Language(s) used Complexity metrics # of CVE entries reported # of Bugtraq reports # of vendor patches # of problems found by scanners # of problems found by fuzzers # of problems found by static analyzers Tendency to large fraction false positives; no standardization RetrospectiveDistant relationship to vulnerabilities

webMethods Proprietary 4 INTEGRATE. ASSEMBLE. OPTIMIZE. Relative Vulnerability – a real metric (kudos to Crispin Cowan, Novell) Concept: Given a product and some # of exploitable vulnerabilities in the product, measure % exploitable with and without an intrusion prevention system (IPS) Hypothesis: the IPS-protected version should have consistently fewer vulnerabilities than the product itself (and not introduce new vulnerabilities) Tested with Immunix vs. Red Hat 7.0 & 7.3 Questions How to extend to applications where there is no IPS? Is a metric for IPSs really what we want?

webMethods Proprietary 5 INTEGRATE. ASSEMBLE. OPTIMIZE. Leading Security Indicators – A Real Metric (aka “Seven Deadly Sins”) Goal: Estimate how good or bad software is likely to be by the self-reported answers to a handful of key questions Hypothesis: Good products will ace these; bad products will be obvious – don’t have to measure beyond this handful Method: Identify key security areas (e.g., how do you store passwords, do you provide encrypted connections) Results thus far: Hypothesis validated, but not enough data to relate fraction of sins committed into # of vulnerabilities Not applicable where the application gets to rely on an infrastructure (e.g., web server) for security features

webMethods Proprietary 6 INTEGRATE. ASSEMBLE. OPTIMIZE. Some metrics are retrospective If acquiring a product, want to know how many security vulnerabilities there are today Retrospective measures are only valuable as a reputational indicator for early adopters Vendor A products have many vulnerabilities Vendor B products are rock solid But if vendor A acquires vendor B, will A’s products get B’s reputation? Or vice versa? What if B acquires A? Retrospective metrics don’t help with new products or where vendor is unknown

webMethods Proprietary 7 INTEGRATE. ASSEMBLE. OPTIMIZE. What do metrics measure? xx Metrics are of limited value on their own… Trying to measure (in)security, or the product of the factors? # of Bugtraq entries is a measure of the product # of bugs found in a source code scan is a measure of (in)security f ( ) {(In)security} Absolute # of security vulnerabilities {Popularity} Is the product/vendor (dis)liked by hackers? {Ubiquity} Is the product well known/available? All metrics are created equal, but some metrics are more objective than others

webMethods Proprietary 8 INTEGRATE. ASSEMBLE. OPTIMIZE. But not all metrics are good metrics… CSI/FBI study Self-selected participants No validation of claims, especially for $ amounts Claims far more precision (typically 6 digits) than justified by number of responses (typically a few hundred), even if they were randomly selected Lesson learned “Good enough” metrics doesn’t mean any metrics regardless of quality

webMethods Proprietary 9 INTEGRATE. ASSEMBLE. OPTIMIZE. What we should do Open site for public release of data, with product type Number of (unfiltered) static or dynamic analysis hits Number of Bugtraq or CVE entries / time Average education/experience per developer # of LOC/developer/time % of code that’s reused from other products/projects % of code that’s third party (e.g., libraries) Leading security indicators adherence After data has been gathered for a while, maybe we can draw some conclusions…

webMethods Proprietary 10 INTEGRATE. ASSEMBLE. OPTIMIZE. In conclusion… METRICS JUST DO IT!

webMethods Proprietary 11 INTEGRATE. ASSEMBLE. OPTIMIZE. Contact information Jeremy Epstein Senior Director, Product Security (O) (M)