measuring software security
play

Measuring Software Security Defining Security Metrics Dr. Bill - PowerPoint PPT Presentation

Dec 08, 2023 •629 likes •854 views

Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: May 1, 2015 at 08:15 Dr. Bill Young: 1 Metrics Talk: OAG IV&V Why Is CyberSecurity Hard? Why

  1. Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: May 1, 2015 at 08:15 Dr. Bill Young: 1 Metrics Talk: OAG IV&V

  2. Why Is CyberSecurity Hard? Why is cybersecurity any harder than any other technological problem? Or is it? Partial answer: Most technological problems are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen . Dr. Bill Young: 2 Metrics Talk: OAG IV&V

  3. What Bad Things? If security is all about ensuring that bad things never happen , that means we have to know what those bad things are. The hardest thing about security is convincing yourself that you’ve thought of all possible attack scenarios, before the attacker thinks of them. “A good attack is one that the engineers never thought of.” –Bruce Schneier Dr. Bill Young: 3 Metrics Talk: OAG IV&V

  4. Cyber Defense is Asymmetric The defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to find one ! In cybersecurity, you have to defeat an actively malicious adversary . Principle of Easiest Penetration: an intruder will use any available means to subvert the security of a system. Dr. Bill Young: 4 Metrics Talk: OAG IV&V

  5. You Can’t Defend Everything Modern information management systems are a complex, “target-rich” environment comprising: hardware, software, storage media, peripheral devices, data, and people. He who defends everything defends nothing. –old military adage Dr. Bill Young: 5 Metrics Talk: OAG IV&V

  6. Security Isn’t the Point Security is often treated as an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled. It’s often hard to convince management to allocate extra resources to prevent attacks that may never occur. Dr. Bill Young: 6 Metrics Talk: OAG IV&V

  7. The More Things Change ... “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris (mid 1980’s), former chief scientist of the National Computer Security Center “Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang (2009), former director of research at NSA Dr. Bill Young: 7 Metrics Talk: OAG IV&V

  8. Perfect Security: It Ain’t Happening Perfect security is unachievable in any useful system. We trade-off security with other important goals: functionality, usability, efficiency, time-to-market, and simplicity. Dr. Bill Young: 8 Metrics Talk: OAG IV&V

  9. Security is Risk Management Viega and McGraw, Building Secure Software assert that software and system security is “all about managing risk.” Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. The assessment of risk must take into account the consequences of an exploit. Risk management is a process for an organization to identify and address the risks in their environment. Dr. Bill Young: 9 Metrics Talk: OAG IV&V

  10. Current IT Security Metrics “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” H. James Harrington Some Popular IT Security Metrics: Security risk assessment matrices Security vulnerabilities and incident statistics Annualized loss expectancy (ALE) Return on investment (ROI) Total cost of ownership (TCO) Dr. Bill Young: 10 Metrics Talk: OAG IV&V

  11. Current Metrics are Flawed Typical Security Risk Assessment: Likelihood of Event High Medium Low High “We’re Doomed!” Bad Outlier Severity of Medium Bad Not Good Error Impact Low Annoyance Typical “Whatever...” Problem: This doesn’t measure security risk; it measures human judgments about risk. That can be useful, assuming you understand what you’re getting. Dr. Bill Young: 11 Metrics Talk: OAG IV&V

  12. Counting Vulnerabilities or Incidents The number of vulnerabilities discovered or security-related “incidents” are often used as general indicators of the level of security. But these depend critically on: How thorough are your scans? How many systems are scanned? What severity is assigned to what vulnerabilities/incidents? How many applications are deployed? How does your number compare with peers? Dr. Bill Young: 12 Metrics Talk: OAG IV&V

  13. Annualized Loss Expectancy ALE is a common tool for risk assessment. Given potential threats, where do you put your security dollars? Risks in a large bank: Loss type Amount Incidence ALE SWIFT fraud $50,000,000 0.005 $250,000 ATM fraud (large) $250,000 0.2 $100,000 ATM fraud (small) $20,000 0.5 $10,000 Teller theft $3,240 200.0 $648,000 But this is really nothing more than expected value! Is that the right way to compute risk? Dr. Bill Young: 13 Metrics Talk: OAG IV&V

  14. Is ALE the Right Model? Consider the following two scenarios: 1 I give you a dollar. 2 We flip a coin. Heads: I give you $1000. Tails: you give me $998. The expected values are exactly the same, but the risks seem quite different. Often ALE deals in opinions and expectations because IT security does not have data to define actual probabilities. Dr. Bill Young: 14 Metrics Talk: OAG IV&V

  15. ROI and TCO Return on Investment (ROI) attempts to calculate how much benefit will be gained from an investment. How do current security expenditures affect future losses? This is very hard to estimate. Traditionally, ROI (in a financial setting) involves profit or rate of return. These don’t apply well for a security investment. Total Cost of Ownership (TCO) seeks to quantify the cost over the entire lifecycle of the investment. Only really applies to security purchases, not to measurement of the IT security process. Data for adequate comparison is lacking. Dr. Bill Young: 15 Metrics Talk: OAG IV&V

  16. Lessons from Other Industries We typically don’t have very good data for estimating IT security risk! Other industries—insurance, manufacturing, design—have a long history of dealing with risk. Some lessons: 1 Metrics and process will improve as the ability to collect, analyze and understand data improves. 2 Security is a business process. You must measure the business process to measure security. 3 Security results from human activities. You must understand people as well as technology. Dr. Bill Young: 16 Metrics Talk: OAG IV&V

  17. Choosing Good Metrics One approach: The Goal-Question-Metric (GQM) method borrowed from software engineering. Goal: What do I need to accomplish in my security program? Goals should be specific, limited, meaningful, contextual, well-documented. Questions: What specifically must I learn for that goal to be realized? Metrics: What data must I collect to answer the questions raised by the goals? GQM provides a structured process for thinking about security, translating thoughts into requirements, and developing the data to meet those requirements. Dr. Bill Young: 17 Metrics Talk: OAG IV&V

  18. Example: GQM for Security-Related Downtime Goal Statement: Understand security impact on system availability by reviewing security-related downtime as a percentage of total downtime. Question 1: How often is the system down due to failure? Metrics: Time between failures Failure duration Mean system availability Dr. Bill Young: 18 Metrics Talk: OAG IV&V

  19. Example: GQM for Security-Related Downtime Question 2: How often is the system down due to maintenance? Metrics: Time between maintenance events Maintenance duration Mean system availability Question 3: How often is downtime the result of a security event? Metrics: Number of security events in time period Duration of event remediation Dr. Bill Young: 19 Metrics Talk: OAG IV&V

  20. Are Goals Appropriate? Cisco Example: The security goals must align with the mission of the enterprise. Operating System Count & Urgent Vulnerabilities # Hosts # Vuln. # Hosts % Hosts w/ Vuln. w/ Vuln. Windows 4212 593 347 8.2 Linux 8026 62 41 < 1 Solaris 2733 216 143 5.2 Cisco 4626 6 6 < 1 Presented with these findings, Cisco management responded that since Linux and Cisco OS teams “had less than 1 percent of their hosts with high severity vulnerabilities, those teams must be spending too much time, effort and resources patching their hosts.” (Hayden, IT Security Metrics , p. 84) Dr. Bill Young: 20 Metrics Talk: OAG IV&V

  21. Conclusions Cyber security is important, but hard. Perfect security is impossible, so treat it as risk management. Must measure security to improve security. Some popular metrics are weak, largely because the underlying data is weak. Systematic approaches exist to build successful IT security metrics programs. Treat security as another business process. Dr. Bill Young: 21 Metrics Talk: OAG IV&V

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van Eeten Del. University of Technology Security produc=vity What is measurable? Security level

217 views • 10 slides
Measuring the Effectiveness of a Test (Converting Software Testing from an Art to a Science)

Measuring the Effectiveness of a Test (Converting Software Testing from an Art to a Science)

Measuring the Effectiveness of a Test (Converting Software Testing from an Art to a Science) Harry M. Sneed Software Test Engineer ANECON GmbH., Vienna, Austria Abstract: The proposed paper presents a set of metrics developed by the author while

401 views • 23 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social

Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social

Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social sciences: too strict a definition and too much is excluded to be useful whereas too broad a definition weakens explanatory power given events Even

428 views • 15 slides
Measuring Velocity SWEN-610 Foundations of Software Engineering Department of Software

Measuring Velocity SWEN-610 Foundations of Software Engineering Department of Software

Measuring Velocity SWEN-610 Foundations of Software Engineering Department of Software Engineering Rochester Institute of Technology Velocity is the last piece of the Scrum process. At this point in the course, you've seen all of the Scrum

337 views • 5 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Master rack fire protection HFC-236fa refrigerant Measurement stand Received data Testing temperature measuring system for security and gas self-extinguishing for MPD detector Author: Patryk Marcola Supervised by: mgr in. Marek Peryt

245 views • 9 slides
Don Randall MBE Chief Information Security Officer Bank of England Measuring the future value of

Don Randall MBE Chief Information Security Officer Bank of England Measuring the future value of

Don Randall MBE Chief Information Security Officer Bank of England Measuring the future value of Security Physical, Technical and Cyber to ensure boardroom engagement 20 th November 2014 Warsaw Approach Technical Threats

1.12k views • 33 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Notes Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer Science &amp; Engineering Department, SMU, Dallas, TX Lecture 2 Notes Outline Managing security investment 1 Security metrics 2 R 3

605 views • 16 slides
G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions

G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions

G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions Stokes diagram with Stokes directions Halo at with singular directions Stokes diagram with Stokes directions Halo at with singular directions

1.79k views • 130 slides
Scalar-flat K ahler ALE metrics on minimal resolutions Jeff Viaclovsky University of

Scalar-flat K ahler ALE metrics on minimal resolutions Jeff Viaclovsky University of

Introduction Existence Deformations Other applications Scalar-flat K ahler ALE metrics on minimal resolutions Jeff Viaclovsky University of Wisconsin May 19, 2015 Vanderbilt University Jeff Viaclovsky Scalar-flat K ahler ALE metrics

808 views • 77 slides
Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed

Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed

Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed during the PhD theses of Yohann Thomas, Nizar Kheir, Gustavo Gonzalez-Granadillo Institut Mines-Tlcom Operational security timeline

575 views • 39 slides
Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A

Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A

Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A option in Google Slides allows students to give written feedback and have it displayed during a live presentation by a teacher. The teacher chooses

206 views • 9 slides
Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with

Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with

Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with relations Finite domains Solution algorithms Complexity vs. completeness Model-Based Systems &amp; Qualitative Reasoning WS 11/12 EMDS 3

623 views • 21 slides
Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano,

Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano,

Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano, Lorenzo Rosasco University of Genova - Istituto Italiano di Tecnologia Massachusetts Institute of Technology ale rudi@mit.edu Dec 10th NIPS 2015 A

566 views • 54 slides

More recommend