So we assume that basically every modern company with valuable data has a security program in place. This is usually a staff, consulting firm, or both that actively engage IT projects and Lines of Business to better the overall technical security of the company. Pretty simple eh?
So how do we measure the effectiveness of said program? Well seemingly the universal answer to this is something called metrics.
Metrics are essentially ratings or measurements of a system for prevention, remediation, or resolution of security issues. These can exist on many different levels, but my point of interest lies at the application level. More specifically, Web Applications.
The problem is that there isn't a silver bullet solution. Metrics are extremely difficult to create because each organization has varying requirements. This is further complicated by the fact that each IT project is different, and may or may not fit neatly into each metric. In my experience there are three basic ways to create a metric system
First we can create highly generic vulnerability classifications. This will probably end up obscuring the overall goal of remediation. Furthermore, providing a gross overall rating is misleading because the volume of less critical issues can mask the more highly critical issues, giving an appearance of an 'average' overall rating when the application may in fact be very insecure. READ MORE
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Why Application Security Metrics are broken
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users