Government Security
Network Security Resources

Jump to content


Why Application Security Metrics are broken

- - - - - security vulnerability php web app web application
  • Please log in to reply
No replies to this topic

#1 Blake


    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 22 December 2008 - 12:56 PM

So we assume that basically every modern company with valuable data has a security program in place. This is usually a staff, consulting firm, or both that actively engage IT projects and Lines of Business to better the overall technical security of the company. Pretty simple eh?
So how do we measure the effectiveness of said program? Well seemingly the universal answer to this is something called metrics.

Metrics are essentially ratings or measurements of a system for prevention, remediation, or resolution of security issues. These can exist on many different levels, but my point of interest lies at the application level. More specifically, Web Applications.

The problem is that there isn't a silver bullet solution. Metrics are extremely difficult to create because each organization has varying requirements. This is further complicated by the fact that each IT project is different, and may or may not fit neatly into each metric. In my experience there are three basic ways to create a metric system

First we can create highly generic vulnerability classifications. This will probably end up obscuring the overall goal of remediation. Furthermore, providing a gross overall rating is misleading because the volume of less critical issues can mask the more highly critical issues, giving an appearance of an 'average' overall rating when the application may in fact be very insecure. READ MORE

Also tagged with one or more of these keywords: security, vulnerability, php, web app, web application