Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

Published bySheila Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc."— Presentation transcript:

1 “Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

2 webMethods Proprietary 2 INTEGRATE. ASSEMBLE. OPTIMIZE. The problem… We’re spending all our time arguing about which statistics we should gather Instead, we should gather all the numbers we can, and then figure out which ones matter

3 webMethods Proprietary 3 INTEGRATE. ASSEMBLE. OPTIMIZE. Some metrics we can gather today Lines of code Language(s) used Complexity metrics # of CVE entries reported # of Bugtraq reports # of vendor patches # of problems found by scanners # of problems found by fuzzers # of problems found by static analyzers Tendency to large fraction false positives; no standardization RetrospectiveDistant relationship to vulnerabilities

4 webMethods Proprietary 4 INTEGRATE. ASSEMBLE. OPTIMIZE. Relative Vulnerability – a real metric (kudos to Crispin Cowan, Novell) Concept: Given a product and some # of exploitable vulnerabilities in the product, measure % exploitable with and without an intrusion prevention system (IPS) Hypothesis: the IPS-protected version should have consistently fewer vulnerabilities than the product itself (and not introduce new vulnerabilities) Tested with Immunix vs. Red Hat 7.0 & 7.3 Questions How to extend to applications where there is no IPS? Is a metric for IPSs really what we want?

5 webMethods Proprietary 5 INTEGRATE. ASSEMBLE. OPTIMIZE. Leading Security Indicators – A Real Metric (aka “Seven Deadly Sins”) Goal: Estimate how good or bad software is likely to be by the self-reported answers to a handful of key questions Hypothesis: Good products will ace these; bad products will be obvious – don’t have to measure beyond this handful Method: Identify key security areas (e.g., how do you store passwords, do you provide encrypted connections) Results thus far: Hypothesis validated, but not enough data to relate fraction of sins committed into # of vulnerabilities Not applicable where the application gets to rely on an infrastructure (e.g., web server) for security features

6 webMethods Proprietary 6 INTEGRATE. ASSEMBLE. OPTIMIZE. Some metrics are retrospective If acquiring a product, want to know how many security vulnerabilities there are today Retrospective measures are only valuable as a reputational indicator for early adopters Vendor A products have many vulnerabilities Vendor B products are rock solid But if vendor A acquires vendor B, will A’s products get B’s reputation? Or vice versa? What if B acquires A? Retrospective metrics don’t help with new products or where vendor is unknown

7 webMethods Proprietary 7 INTEGRATE. ASSEMBLE. OPTIMIZE. What do metrics measure? xx Metrics are of limited value on their own… Trying to measure (in)security, or the product of the factors? # of Bugtraq entries is a measure of the product # of bugs found in a source code scan is a measure of (in)security f ( ) {(In)security} Absolute # of security vulnerabilities {Popularity} Is the product/vendor (dis)liked by hackers? {Ubiquity} Is the product well known/available? All metrics are created equal, but some metrics are more objective than others

8 webMethods Proprietary 8 INTEGRATE. ASSEMBLE. OPTIMIZE. But not all metrics are good metrics… CSI/FBI study Self-selected participants No validation of claims, especially for $ amounts Claims far more precision (typically 6 digits) than justified by number of responses (typically a few hundred), even if they were randomly selected Lesson learned “Good enough” metrics doesn’t mean any metrics regardless of quality

9 webMethods Proprietary 9 INTEGRATE. ASSEMBLE. OPTIMIZE. What we should do Open site for public release of data, with product type Number of (unfiltered) static or dynamic analysis hits Number of Bugtraq or CVE entries / time Average education/experience per developer # of LOC/developer/time % of code that’s reused from other products/projects % of code that’s third party (e.g., libraries) Leading security indicators adherence After data has been gathered for a while, maybe we can draw some conclusions…

10 webMethods Proprietary 10 INTEGRATE. ASSEMBLE. OPTIMIZE. In conclusion… METRICS JUST DO IT!

11 webMethods Proprietary 11 INTEGRATE. ASSEMBLE. OPTIMIZE. Contact information Jeremy Epstein Senior Director, Product Security jepstein@webMethods.com 703-460-5852 (O) 703-989-8907 (M)

Download ppt "“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc."

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
G. Alonso, D. Kossmann Systems Group

G. Alonso, D. Kossmann Systems Group
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Designing classes How to write classes in a way that they are easily understandable, maintainable and reusable 4.0.

Designing classes How to write classes in a way that they are easily understandable, maintainable and reusable 4.0.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Hypothesis Tests for Means The context “Statistical significance” Hypothesis tests and confidence intervals The steps Hypothesis Test statistic Distribution.

Hypothesis Tests for Means The context “Statistical significance” Hypothesis tests and confidence intervals The steps Hypothesis Test statistic Distribution.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
WHAT IS CLOUD COMPUTING? PRESENTED BY BRIAN DUKE, RISHI SINGH & JOSE CERVANTES.

WHAT IS CLOUD COMPUTING? PRESENTED BY BRIAN DUKE, RISHI SINGH & JOSE CERVANTES.

Similar presentations

Ads by Google