Skip to main content
SpringerLink
Log in

Measuring Application Security

  • Conference paper
  • First Online:
Advances in Human Factors in Cybersecurity (AHFE 2018)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 782))

Included in the following conference series:

Abstract

We report on a qualitative study of application security (AppSec) program management. We sought to establish the boundaries used to define program scope, the goals of AppSec practitioners, and the metrics and tools used to measure performance. We find that the overarching goal of AppSec groups is to ensure the security of software systems; this is a process of risk management. AppSec boundaries varied, but almost always excluded infrastructure-level system components. Seven top-level questions guide practitioner efforts; those receiving the most attention are Where are the application vulnerabilities in my software?, Where are my blind spots?, How do I communicate & demonstrate AppSec’s value to my management?, and Are we getting better at building in security over time?. Many metrics are used to successfully answer these questions, but one challenge stood out: there is no good way to measure AppSec risk. No one metric system dominated observed usage.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Davis, N.: Developing Secure Software. New York’s Software & Systems Process Improvement Network. New York, NY (2004)

    Google Scholar 

  2. 2016 Data Breach Investigations Report. Verizon Enterprise

    Google Scholar 

  3. CISO AppSec Guide: Application Security Program – OWASP. https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program

  4. About the Building Security In Maturity Model. https://www.bsimm.com/about.html

  5. OpenSAMM. http://www.opensamm.org/

  6. Framework for Improving Critical Infrastructure Cybersecurity (2014). https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

  7. McGraw, G., Migues, S., West, J.: BSIMM8 (2017). https://www.bsimm.com/download.html

  8. Payne, S.: A Guide to Security Metrics (2006). https://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55

  9. Sanders, B.: Security metrics: state of the Art and challenges. Inf. Trust Inst. Univ. Ill. (2009)

    Google Scholar 

  10. Miles, J., Gilbert, P.: A Handbook of Research Methods for Clinical and Health Psychology. Oxford University Press, Oxford (2005)

    Book  Google Scholar 

  11. Application software (2018). https://en.wikipedia.org/w/index.php?title=Application_software&oldid=826560991

  12. Steiner, G.A.: Strategic Planning. Simon and Schuster, New York (2010)

    Google Scholar 

  13. JP 5-0, Joint Planning (2017). http://www.jcs.mil/Doctrine/Joint-Doctrine-Pubs/5-0-Planning-Series/

  14. Douglas, M.: Strategy and tactics are treated like champagne and two-buck-chuck (2015). https://prestonwillisblog.wordpress.com/2015/05/15/strategy-and-tactics-are-treated-like-champagne-and-two-buck-chuck/

  15. Marrinan, J.: What’s the difference between a goal, objective, strategy, and tactic? (2014). http://www.commonbusiness.info/2014/09/whats-the-difference-between-a-goal-objective-strategy-and-tactic/

  16. Basili, V.R., Caldiera, G., Rombach, H.D.: The goal question metric approach. Encycl. Softw. Eng. 2, 528–532 (1994)

    Google Scholar 

  17. ISO/IEC/IEEE 24765:2010(E) Systems and software engineering — Vocabulary (2010). https://www.iso.org/standard/50518.html

  18. Allen, J.: How much security is enough (2009). https://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_295906.pdf

  19. Young, B.: Measuring software security: defining security metrics (2015)

    Google Scholar 

  20. Crouhy, M., Galai, D., Mark, R.: The Essentials of Risk Management. McGraw-Hill, New York (2005)

    Google Scholar 

  21. Krebs, B.: What’s your security maturity level? (2015). https://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/

  22. Richardson, J., Bartol, N., Moss, M.: ISO/IEC 21827 Systems Security Engineering Capability Maturity Model (SSE-CMM) a process driven framework for assurance

    Google Scholar 

  23. Acohido, B., Sager, T.: Improving detection, prevention and response with security maturity modeling (2015). https://www.sans.org/reading-room/whitepapers/analyst/improving-detection-prevention-response-security-maturity-modeling-35985

  24. Microsoft Security Development Lifecycle. https://www.microsoft.com/en-us/sdl/default.aspx

  25. Olcott, J.: Cybersecurity: the new metrics (2016). https://www.bitsighttech.com/hubfs/eBooks/Cybersecurity_The_New_Metrics.pdf?t=1509031295345&utm_source=hs_automation&utm_medium=email&utm_content=37546190&_hsenc=p2ANqtz--m-crOcN48EycaIJFVXnHInTyc_LOO2aQWbl5YHXd3Fz34z7w0EfMptTs1_XnOGjEH_6jM_g6FUJUgAMYFSjV06QDmyQ&_hsmi=37546190

  26. SP 800-53 Rev. 5 (DRAFT), Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft

  27. Wichers, D.: Getting started with OWASP: the top 10, ASVS, and the guides. In: 13th Semi-Annual Software Assurance Forum, Gaithersburg, MD (2010)

    Google Scholar 

  28. Application Security & Development STIGs. https://iase.disa.mil/stigs/app-security/app-security/Pages/index.aspx

  29. Jansen, W.: Directions in security metrics research (2009). http://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7564.pdf

  30. Savola, R.: On the feasibility of utilizing security metrics in software-intensive systems. Int. J. Comput. Sci. Netw. Secur. 10, 230–239 (2010)

    Google Scholar 

  31. Hallgren, K.A.: Computing inter-rater reliability for observational data: an overview and tutorial. Tutor. Quant. Methods Psychol. 8, 23–34 (2012)

    Article  Google Scholar 

  32. The 15-Minute, 7-Slide Security Presentation for Your Board of Directors. https://blogs.gartner.com/smarterwithgartner/the-15-minute-7-slide-security-presentation-for-your-board-of-directors/

  33. Gaillard, J.C.: Cyber security: board of directors need to ask the real questions (2015). http://www.informationsecuritybuzz.com/articles/cyber-security-board-of-directors-need-to-ask-the-real-questions/

  34. Risk (2018). https://en.wikipedia.org/w/index.php?title=Risk&oldid=824832006

  35. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. TISSEC. 5, 438–457 (2002)

    Article  Google Scholar 

  36. Expected value (2018). https://en.wikipedia.org/w/index.php?title=Expected_value&oldid=826427336

  37. Hoo, K.J.S.: How much is enough? A risk management approach to computer security. Stanford University Stanford, California (2000)

    Google Scholar 

  38. Schryen, G.: A fuzzy model for IT security investments (2010)

    Google Scholar 

  39. Böhme, R.: Security metrics and security investment models. In: IWSEC, pp. 10–24. Springer (2010)

    Chapter  Google Scholar 

  40. Held, G.: Measuring end-to-end security. AppSecUSA 2017, Orlando, FL (2017)

    Google Scholar 

Download references

Acknowledgements

This work was made possible by Secure Decisions, the Department of Homeland Security, and AppSec practitioners, many introduced to us by Code Dx, Inc. We would sincerely like to thank these practitioners for their time and candidness during the interviews; this work would have not been possible without their participation.

This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security.

Author information

Authors and Affiliations

  1. Secure Decisions, Clifton Park, NY, USA

    Christopher Horn

  2. Code Dx, Northport, NY, USA

    Anita D‘Amico

Authors
  1. Christopher Horn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anita D‘Amico
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christopher Horn .

Editor information

Editors and Affiliations

  1. University of Central Florida, Orlando, Florida, USA

    Tareq Z. Ahram

  2. Soar Technology Inc., Orlando, Florida, USA

    Denise Nicholson

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Horn, C., D‘Amico, A. (2019). Measuring Application Security. In: Ahram, T., Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2018. Advances in Intelligent Systems and Computing, vol 782. Springer, Cham. https://doi.org/10.1007/978-3-319-94782-2_5

Download citation

Publish with us

Policies and ethics

Search

Navigation