Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Metrics evolution breakfast edition
1.
2. YOUR SPEAKER –
• 2014 HEAD OF INFORMATION SECURITY – WORLDLINE (ATOS GROUP)
• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE
• 2013 PCIDSS COMPLIANCE AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)
• 2011 - 2013 PCIDSS COMPLIANCE MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)
• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)
• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS
3. EXEC SUMMARY
• QUICK LOOK BACK OVER LAST TEN YEARS
• QUICK LOOK AT MY FAVOURITE BACKGROUND READING
• AT A FORK IN THE ROAD - KPI V SECVIZ
5. INTRODUCTION (FROM 2003)
•IT SECURITY METRICS PROVIDE A PRACTICAL APPROACH TO MEASURING
INFORMATION SECURITY.
•EVALUATING SECURITY AT THE SYSTEM LEVEL, IT SECURITY METRICS ARE TOOLS THAT
FACILITATE DECISION MAKING AND ACCOUNTABILITY THROUGH COLLECTION,
ANALYSIS, AND REPORTING OF RELEVANT PERFORMANCE DATA.
34
6. OLD SCHOOL METRICS TUTORIAL
• DAN GEER
• 426 PAGES
• 2007
• GEER - HTTP://GEER.TINHO.NET/MEASURINGSECURITY.TUTORIAL.PDF
33
19. Why Vulnerability Stats Suck
• Stats are presented without understanding the limits of the data
• Even if explanations are provided, correlation is confused with causation:
20
21. Disease Research:
Epidemiology vs. Vulnerability Research
Epidemiology Vulnerability Research
Goal Improve the public health
SAVE ALL THE THINGZ ON THA INTERWEBZ! *
(attention whoring)
Objects of Study People/Diseases Software/Vulnerabilities
Populations Groups of people
Groups of vulnerabilities (as seen in multi-vuln
disclosures)
Measurement
Devices (Tools of the
Trade)
Blood pressure monitors,
thermometers, lab tests, observation
Automated code scanners w/high FP/FN rates,
fuzzers, coffee-fueled malcontents staring at code at
3 AM
Publication
Requirements
Refereed journals with peer review Ability to send email
Sampling Methods
Using industry established
methodologies and formal
documentation.
Using wildly erratic methodologies, no standards for
documentation or disclosure
* Goal not shared by all researchers. Please to be rolling with this, kthxbye
18
22. The Shocking Claim
• Bias and statistics in vulnerability research are far worse than
it is in other disciplines
• At least people don’t die (yet?), but still use vulnerable
equipment:
– SCADA
– Airplanes
– Automobiles
– Medical Devices
– Oh my…
17