The March issue of IEEE Security & Privacy Journal has an article by Betsy Nichols and myself, titled "A Metrics Framework to Drive Application Security Improvement". The paper looks at design time, deployment time, and run time metrics that you can use to measure your app's security posture against the OWASP Top Ten (yes I know the Top Ten is changing, the purpose of this paper, like the Top Ten, is awareness not exhaustiveness). The paper looks at each of the OWASP Top Ten and examines what types of metrics can be used to assess how well your web applications measure up.
These can then be rolled up into various reporting methods such as the scorecard above. The overall point of metrics is to help people who are not make security experts (90% of people in software development) make better security decisions.
"The only metrics that matter are those for decision support in risk management."
-Dan Geer
Comments