1 Raindrop: Metricon

Metricon 4.0 - The Importance of Context

The CFP for Metricon 4.0 says you have about a month to get your submission in if you want to present. As usual, Metricon 4.0 is co-located with Usenix Security, this time in Montreal, eh?

MetriCon 4.0 is intended as a forum for lively, practical discussion in the area of security metrics.
It is a forum for quantifiable approaches and results to problems afflicting information security
today, with a bias towards practical, specific approaches that demonstrate the value of security
metrics with respect to a security-related goal.

One thing I do when designing security services is to try and think when I am designing say authZ - how would I measure the success and/or failure of this service? Its not always possible but the discipline of looking at the service objectively has proved a useful exercise. For more info on how to participate in Meitrco check the CFP.

April 28, 2009 in Metricon, Security, Security Metrics | Permalink | Comments (0)

MetriCon 2.0 : Oh Well a Touch of Gray Kinda Suits You Anyway

MetriCon 2.0 happened on Tuesday in Boston, featuring a lot of collaborative, constructive dialog (the talks were 15 min. each with 15 min. of open discussion). Slides are here. Lots of good feedback from participants.

An interesting thing happened in the morning. Fredrick DeQuan Lee from Fortify showed some examples of security metrics in practice, including some findings from their review of open source projects. Using Fortify's tools they scanned projects Azureus, Blojsom, and Groovy on Rails weekly, over 74 million lines of code scanned each week. To rank the findings they developed a rating system like the Morningstar rating system for mutual funds. The ratings are:

1 Star: Absence of Remote and/or Setuid Vulnerabilities 2 Stars: Absence of Obvious Reliability Issues 3 Stars: Follow Best Practices 4 Stars: Documented Secure Development Process 5 Stars: Passed Independent Security Review

So first off, I am big fan of maturity continuums in security. They eliminate the black/white boolean "you are 100% compliant with our ivory tower policy (which no one is) or you are forever broken" view of the world. Maturity continuums also give a way to make incremental progress over time without having to have every project cram every security feature in before going live.

Next, the Fortify star system sets a harsh bar for even attaining one star (more on this later), on the plus side 1 star and 2 star should be able to measured quantitatively. As you move up the stars become fuzzier and more qualitative. I don't have a big issue with this because like stocks we can use separate criteria for assessing penny stocks as for assessing 3M or Walmart. When you are into the realm of debating whether to invest 3M or to invest in Walmart it is a different discussion. Would that we had more of these type discussion in security!

After the Fortify presentation, Jeremiah Grossman showed the data his team collected, that data showed 70% of websites they assessed had serious vulnerabilities (XSS, Information leakage, etc.). Interestingly, they also correlated the vulns across industry segments which showed marked differences in security profile based on sector. Good job retail sector! retail came with the lowest percentage of vulns, which could indicate that the higher spending on security we see Fin Svcs is not paying dividends.

At any rate, in the Q&A portion someone asked Jeremiah if *any* of the hundreds of sites included in his survey could gain even one star in the aforementioned Fortify ranking system? No way.

Is this a problem? Is Fortify's sytem broken? I don't think so. I think we need maturity continuums because just getting to one star is hard enough, and if we say you have 5 stars or you're broken, no one will get there. Evah. I don't think we need one uber ranking system either, Morningstar is just one of hundreds (thousands?) in the financial world. We also need different criteria for assessing penny stocks (Jeremiah's) from those we use to measure lower risk and more mature stocks (Fortify). For web apps today, the bad news is that we have a metric ton of penny stocks.

August 09, 2007 in Metricon, Security, Security Metrics | Permalink | Comments (2)

William Gibson Thinks You Should Go to Metricon

Ok, he did not explicitly say that about Metricon. But, in his last book "Pattern Recognition", he did underscore our current information security dilemma:

“We have no future because our present is too volatile. We have only risk management. The spinning of the given moment's scenarios. Pattern recognition...”

Risk is the price we pay to move forward, innovate, and grow the enterprise. Risk management is different from the standard "its perfect or its broken and I can't help you unless you follow everything in the 137 page policy manual" mentality that most IT security groups attempt to govern by.

Stepping into a risk management mindset is accepting there are going to be tradeoffs and then the queston becomes how to reason about these tradeoffs. Well today we mainly use axioms and "best" practices, for example gems like inside firewall = good, outside firewall = bad. (I am three years behind on patches on the Oracle system that has all our customer data, but its inside the firewall).

In trying to find better ways to reason about the tradeoffs and measure the efficacy over time, look to security metrics to objectively illustrate your system's capabilities. Use numbers and measurements to add weight to and to challenge existing axioms to see if the assumptions that were made actually hold up.

This is what we'll explore in the collaborative workshop Metricon, held in conjunction with Usenix security conference in Boston, August 7. There is limited time to register, so if you are interested in attending, do it soon.

(Since I took Mr. Gibson's name in vain, I should mention he has a new book coming out - "Spook Country" which I am excited to read)

July 16, 2007 in Metricon, Security, Security Metrics | Permalink | Comments (0)

Metricon 2.0 Draws Near

By my calculation, we are 4 weeks away from Metricon 2.0, August 7 in Boston (with Usenix Security). Registration, and further conference details are availablehere.

The format for Metricon is an open, collaborative discussion. The sessions were planned with lots of time for Metricon attendees to challenge speakers, explore ideas, and work through issues. When you put out a cfp, you never know what you'll get back, but I was really impressed by the quality of the presentations and I think the agenda below shows we can expect a real high rate of information and conceptual transfer 4 weeks from now. (getting geeked up...)

Metrics can get a bad rap, and they certainly can be misused, but I think the main problem we are trying to solve is to find places where we can design and operate systems using objective measurements as decision support rather than solely relying on axioms and best practices.

The day starts with a debate “Do Metrics Matter?” between Pro: Andrew Jaquith (Yankee Group) and Con: Mike Rothman (SecurityIncite)

The talks that are currently set are:

"Security Meta Metrics--Measuring Agility, Learning, and Unintended Consequence"
Russell Cameron Thomas (Meritology)

"Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software"
Frederick Lee and Brian Chess (Fortify)

"A Software Security Risk Classification System"
Eric Dalci and Robert Hines (Cigital)

"Web Application Security Metrics"
Jeremiah Grossman (WhiteHat Security)

"Operational Security Risk Metrics: Definitions, Calculations, and Visualiztions", Brian Laing, Mike Llyod, and Alain Mayer (Redseal Systems)

"Metrics for Network Security Using Attack Graphs: A Position Paper", Anoop Singhal (NIST), Lingyu Wang and Sushil Jaodia (Center for Secure Information Systems, George Mason University)

"Software Security Weakness Scoring"
Chris Wysopal (Veracode)

"Developing secure applications with metrics in mind"
Thomas Heyman Christophe Huygens, and Wouter Joosen (K.U.Leuven)

"Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail"
Michael Gegick and Laurie Williams (North Carolina State University)

There is a practitioner panel moderated by Becky Bace

And finally at the end of the day we have planned a "Stump the Chumps" session where security metricians spin the hamster wheel of pain.

Again each session is designed with a maximum amount of time to collaborate, explore ideas, and debate with presenters.

July 09, 2007 in Metricon, Security, Security Metrics | Permalink | Comments (0)

Choosing the Right Security Metric

Juice Analytics has an interesting post on Choosing the Right Metric. They describe the four dimensions of a good metric: Actionable (you know what to do if it goes up/down/flat), Common interpretation (different stakeholders agree upon definition), Accessible, creditable data, and Transparent, simple calculation (nothing up my sleeve).

This highlights several issues with security metrics. Making security metrics actionable is a challenge - if failed authentications go down is the access control too permissive? Or is it working well?

Common interpretation - also a security bugaboo. This presupposes that stakeholders at various levels have an idea what the security team's value proposition for the organization is to begin with. Compliance checkbox Olympics notwithstanding I'll wager this is not widely agreed upon.

**

Metricon 2.0 is in one month in Boston along with Usenix Security.

July 06, 2007 in Metricon, Security, Security Metrics | Permalink | Comments (1)

Metricon 2.0: For a Few Metrics More

Metricon 2.0 agenda is now online for the day before Usenix security in Boston in August. We will work on moving infosec towards a more scientific approach rather than an accumulatin set of axioms. The format is a collaborative workshop with shorter presentations and more open discussion. Read the summary from the Metricon 1.0 event here.