SlideShare a Scribd company logo

Application Assessment Metrics

SensePost
SensePost

Presentation by Yvette du Toit at ISSA in 2011. This presentation is about application assessment metrics and their challenges. Examples of Sensepost metrics are given.

TechnologyBusiness
1 of 18
Download to read offline
ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING PRESENTED BY: Yvette du Toit
Agenda! Agenda! •  Background! •  Background! •  Approach! •  Approach! •  Examples! •  Challenges with •  Examples! Application Security Metrics! •  Challenges with Application Security Metrics! •  Q&A! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Background! •  Background! •  As Security Consultants we write reports! •  Approach! •  Examples! –  Test, analyse, write up findings, submit to client! •  Challenges with •  Issues still remain open – why?! Application Security Metrics! –  Reports not say enough! •  Q&A! –  Question value report offer! •  Solution – metrics / visualisation! –  Graphs, colour, size etc! •  First – letʼs take a look at what reports say…! –  Qualitative ratings! –  Best practice! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! What do Reports Say?! •  Background! •  2007 - 2011! •  Approach! •  Many words….! •  Examples! •  Challenges with •  Content (Exec Summary, Technical Summary, Conclusion)! Application Security Metrics! •  Are actions effective?! •  Q&A! •  What would be more valuable – comparison (time & peers)! •  How do we use metrics?! Pages Words Assessments 638 224587 Re-Tests 137 28164 Total 775 252751 ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Approach! •  Background! •  Metrics – definition! •  Approach! •  Definition! –  Quantifiable! •  Examples! –  Characteristics! •  Challenges with Application Security •  3 Metric Veterans:! Metrics! •  Q&A! –  Jacquith - “those that support decision making about risk for the purpose of managing that risk” ! –  Marty – “a picture paints a thousand log records”! –  Godin: “just because something is easy to measure doesnʼt mean itʼs important”! •  NB: To measure what is important & that will yield “useful” information! –  Examples of metrics not necessarily useful! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Useful?! •  Background! •  Metrics can be misleading! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Useful?! •  Background! •  Metrics are not always 100% useful! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Approach! •  Background! •  Why?: illustrate useful information! •  Approach! –  Recurring issues! •  Introduction! •  Examples! –  Time required to compromise! •  Challenges with –  Top 10 list! Application Security Metrics! –  Effectiveness of remediation! •  Q&A! –  Benchmarking! •  Who? 7 organisations in financial sector! •  When? 3 ½ years! •  How? Data capture process! –  Marco Slaviero (Head of R&D)! –  Spreadsheet for data capture! –  Report meta-data (project length, frameworks, dates etc.)! –  Findings categorised (pre-defined list of vulns)! –  Findings ranked (Impact, EoE, Threat metric)! •  Normalisation ! –  Allows for comparison across time and peers ! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Annual Distribution of Project (Days)! •  Background! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics Proposal! •  Background! •  Metrics extracted from report data:! •  Approach! •  Our Metrics! –  Timelines (plotting projects on timeline)! •  Examples! –  Basic counts and statistics (uncover counts)! •  Challenges with •  Number of projects! Application Security Metrics! •  Number of days! •  Q&A! •  Number of words and pages in report! –  Threat metrics (Findings per threat level)! –  Bug class metrics (Findings across categories) ! –  Top 10 list ! –  Re-Test Metrics! –  Benchmarks (comparison to peers)! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Timelines! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ! "#$%&! '()*&! !"#$%&'()'*++%++#%,-+' ./0' 112304' !"#$%&'()'5%67%+-+' 8/4' 108.2' 7(-9:' 443' 131438' ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Threat Metrics! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Bug Classes! •  Background! •  Useful?! •  Approach! •  Examples! •  See 56% of findings occur in Top 11 bug classes! •  Challenges with Application Security •  2008 Anomaly (No Re-Tests) ! Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Top 10! •  Background! •  Useful? ! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Re-Test! •  Background! •  Useful?! •  Approach! •  Examples! •  29% Critical and 42% High-risk issues remain open ! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! SensePost Metrics in Action: Benchmarks! •  Background! •  Useful?! •  Approach! •  Examples! •  Our client positioned 3rd (not highlighted here)! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Challenges! •  Background! •  Bug counts vs bug classes! •  Approach! –  Bug counts – number of findings! •  Examples! •  Challenges with –  Bug classes – categories! Application Security –  2 applications scenario (10 findings 1 bug class vs 1 finding in 10 bug classes)! Metrics! •  Q&A! •  Depth vs breadth! –  Each occurrence – depth! –  Each bug class - breadth! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
Agenda! Q&A! •  Background! •  Thank you! •  Approach! •  Examples! •  Longer paper – mail me! •  Challenges with Application Security •  Email: yvette@sensepost.com! Metrics! •  Q&A! •  Contact: +27 79 509 8913! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING

Recommended

Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 

Recommended

Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applicationsDinis Cruz
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...Reddappa Gowd Bandi
 
Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metricsdreamforce2006
 

More Related Content

What's hot

Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applicationsDinis Cruz
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer RiskSecurity Innovation
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 

What's hot (20)

Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 

Viewers also liked

AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...Reddappa Gowd Bandi
 
Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metricsdreamforce2006
 
Maintenance Metrics
Maintenance MetricsMaintenance Metrics
Maintenance Metricskaskerrigan
 
Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)Melissa Kattke
 
Application metrics and performance tests (Java)
Application metrics and performance tests (Java)Application metrics and performance tests (Java)
Application metrics and performance tests (Java)Anton Ivinskyi
 
Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0Truong Phuc
 
Standard operating procedure
Standard operating procedureStandard operating procedure
Standard operating procedureUMP
 

Viewers also liked (8)

AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
AMS Delivery Portfolio tailored to the strategic accounts in BFSI microvertic...
 
Best Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support MetricsBest Practices in Measuring Critical Support Metrics
Best Practices in Measuring Critical Support Metrics
 
Maintenance Metrics
Maintenance MetricsMaintenance Metrics
Maintenance Metrics
 
Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)Template for writing Standard Operating Procedures (SOPs)
Template for writing Standard Operating Procedures (SOPs)
 
Application metrics and performance tests (Java)
Application metrics and performance tests (Java)Application metrics and performance tests (Java)
Application metrics and performance tests (Java)
 
Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0Fsu3 ams l2_kick off_1.0
Fsu3 ams l2_kick off_1.0
 
Maintenance KPI
Maintenance KPIMaintenance KPI
Maintenance KPI
 
Standard operating procedure
Standard operating procedureStandard operating procedure
Standard operating procedure
 

Similar to Application Assessment Metrics

Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you? Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you? SQALab
 
Agile Base Camp - Agile metrics
Agile Base Camp - Agile metricsAgile Base Camp - Agile metrics
Agile Base Camp - Agile metricsSerge Kovaleff
 
Mal12 qa tand-automatedtesting
Mal12 qa tand-automatedtestingMal12 qa tand-automatedtesting
Mal12 qa tand-automatedtestingandytinkham
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 
20110223a Special Report By Central Solutions
20110223a Special Report By Central Solutions20110223a Special Report By Central Solutions
20110223a Special Report By Central SolutionsJames 'Jim' Todd
 
Agile Metrics...That Matter
Agile Metrics...That MatterAgile Metrics...That Matter
Agile Metrics...That MatterErik Weber
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?mkujalowicz
 
Introduction to bugs measurement
Introduction to bugs measurementIntroduction to bugs measurement
Introduction to bugs measurementVolodya Novostavsky
 
Advancing Testing Using Axioms
Advancing Testing Using AxiomsAdvancing Testing Using Axioms
Advancing Testing Using AxiomsSQALab
 
CHI: evaluation
CHI: evaluationCHI: evaluation
CHI: evaluationErik Duval
 
A New Model For Testing
A New Model For TestingA New Model For Testing
A New Model For TestingTEST Huddle
 
'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015 'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015 Georgina Tilby
 
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...TEST Huddle
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 

Similar to Application Assessment Metrics (20)

Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you? Are you in control of Testing, or does Testing control you?
Are you in control of Testing, or does Testing control you?
 
Agile Base Camp - Agile metrics
Agile Base Camp - Agile metricsAgile Base Camp - Agile metrics
Agile Base Camp - Agile metrics
 
Mal12 qa tand-automatedtesting
Mal12 qa tand-automatedtestingMal12 qa tand-automatedtesting
Mal12 qa tand-automatedtesting
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
Research intro
Research introResearch intro
Research intro
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
20110223a Special Report By Central Solutions
20110223a Special Report By Central Solutions20110223a Special Report By Central Solutions
20110223a Special Report By Central Solutions
 
Agile Metrics...That Matter
Agile Metrics...That MatterAgile Metrics...That Matter
Agile Metrics...That Matter
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
 
Introduction to bugs measurement
Introduction to bugs measurementIntroduction to bugs measurement
Introduction to bugs measurement
 
Evaluation of Health IT Implementation
Evaluation of Health IT ImplementationEvaluation of Health IT Implementation
Evaluation of Health IT Implementation
 
Advancing Testing Using Axioms
Advancing Testing Using AxiomsAdvancing Testing Using Axioms
Advancing Testing Using Axioms
 
Session 1
Session 1Session 1
Session 1
 
CHI: evaluation
CHI: evaluationCHI: evaluation
CHI: evaluation
 
New model
New modelNew model
New model
 
A New Model For Testing
A New Model For TestingA New Model For Testing
A New Model For Testing
 
'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015 'A critique of testing' UK TMF forum January 2015
'A critique of testing' UK TMF forum January 2015
 
Software Testing
Software Testing Software Testing
Software Testing
 
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
Paul Gerrard - The Redistribution of Testing – Where to Innovate and What to ...
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 

More from SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Application Assessment Metrics

  • 1. ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING PRESENTED BY: Yvette du Toit
  • 2. Agenda! Agenda! •  Background! •  Background! •  Approach! •  Approach! •  Examples! •  Challenges with •  Examples! Application Security Metrics! •  Challenges with Application Security Metrics! •  Q&A! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 3. Agenda! Background! •  Background! •  As Security Consultants we write reports! •  Approach! •  Examples! –  Test, analyse, write up findings, submit to client! •  Challenges with •  Issues still remain open – why?! Application Security Metrics! –  Reports not say enough! •  Q&A! –  Question value report offer! •  Solution – metrics / visualisation! –  Graphs, colour, size etc! •  First – letʼs take a look at what reports say…! –  Qualitative ratings! –  Best practice! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 4. Agenda! What do Reports Say?! •  Background! •  2007 - 2011! •  Approach! •  Many words….! •  Examples! •  Challenges with •  Content (Exec Summary, Technical Summary, Conclusion)! Application Security Metrics! •  Are actions effective?! •  Q&A! •  What would be more valuable – comparison (time & peers)! •  How do we use metrics?! Pages Words Assessments 638 224587 Re-Tests 137 28164 Total 775 252751 ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 5. Agenda! Approach! •  Background! •  Metrics – definition! •  Approach! •  Definition! –  Quantifiable! •  Examples! –  Characteristics! •  Challenges with Application Security •  3 Metric Veterans:! Metrics! •  Q&A! –  Jacquith - “those that support decision making about risk for the purpose of managing that risk” ! –  Marty – “a picture paints a thousand log records”! –  Godin: “just because something is easy to measure doesnʼt mean itʼs important”! •  NB: To measure what is important & that will yield “useful” information! –  Examples of metrics not necessarily useful! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 6. Agenda! Useful?! •  Background! •  Metrics can be misleading! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 7. Agenda! Useful?! •  Background! •  Metrics are not always 100% useful! •  Approach! •  Example! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 8. Agenda! Approach! •  Background! •  Why?: illustrate useful information! •  Approach! –  Recurring issues! •  Introduction! •  Examples! –  Time required to compromise! •  Challenges with –  Top 10 list! Application Security Metrics! –  Effectiveness of remediation! •  Q&A! –  Benchmarking! •  Who? 7 organisations in financial sector! •  When? 3 ½ years! •  How? Data capture process! –  Marco Slaviero (Head of R&D)! –  Spreadsheet for data capture! –  Report meta-data (project length, frameworks, dates etc.)! –  Findings categorised (pre-defined list of vulns)! –  Findings ranked (Impact, EoE, Threat metric)! •  Normalisation ! –  Allows for comparison across time and peers ! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 9. Agenda! Annual Distribution of Project (Days)! •  Background! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 10. Agenda! SensePost Metrics Proposal! •  Background! •  Metrics extracted from report data:! •  Approach! •  Our Metrics! –  Timelines (plotting projects on timeline)! •  Examples! –  Basic counts and statistics (uncover counts)! •  Challenges with •  Number of projects! Application Security Metrics! •  Number of days! •  Q&A! •  Number of words and pages in report! –  Threat metrics (Findings per threat level)! –  Bug class metrics (Findings across categories) ! –  Top 10 list ! –  Re-Test Metrics! –  Benchmarks (comparison to peers)! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 11. Agenda! SensePost Metrics in Action: Timelines! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ! "#$%&! '()*&! !"#$%&'()'*++%++#%,-+' ./0' 112304' !"#$%&'()'5%67%+-+' 8/4' 108.2' 7(-9:' 443' 131438' ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 12. Agenda! SensePost Metrics in Action: Threat Metrics! •  Background! •  Useful?! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 13. Agenda! SensePost Metrics in Action: Bug Classes! •  Background! •  Useful?! •  Approach! •  Examples! •  See 56% of findings occur in Top 11 bug classes! •  Challenges with Application Security •  2008 Anomaly (No Re-Tests) ! Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 14. Agenda! SensePost Metrics in Action: Top 10! •  Background! •  Useful? ! •  Approach! •  Examples! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 15. Agenda! SensePost Metrics in Action: Re-Test! •  Background! •  Useful?! •  Approach! •  Examples! •  29% Critical and 42% High-risk issues remain open ! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 16. Agenda! SensePost Metrics in Action: Benchmarks! •  Background! •  Useful?! •  Approach! •  Examples! •  Our client positioned 3rd (not highlighted here)! •  Challenges with Application Security Metrics! •  Q&A! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 17. Agenda! Challenges! •  Background! •  Bug counts vs bug classes! •  Approach! –  Bug counts – number of findings! •  Examples! •  Challenges with –  Bug classes – categories! Application Security –  2 applications scenario (10 findings 1 bug class vs 1 finding in 10 bug classes)! Metrics! •  Q&A! •  Depth vs breadth! –  Each occurrence – depth! –  Each bug class - breadth! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING
  • 18. Agenda! Q&A! •  Background! •  Thank you! •  Approach! •  Examples! •  Longer paper – mail me! •  Challenges with Application Security •  Email: yvette@sensepost.com! Metrics! •  Q&A! •  Contact: +27 79 509 8913! ASSESSMENTS • VULNERABILITY MANAGEMENT • CONSULTING • TRAINING