Abstract
We report on a qualitative study of application security (AppSec) program management. We sought to establish the boundaries used to define program scope, the goals of AppSec practitioners, and the metrics and tools used to measure performance. We find that the overarching goal of AppSec groups is to ensure the security of software systems; this is a process of risk management. AppSec boundaries varied, but almost always excluded infrastructure-level system components. Seven top-level questions guide practitioner efforts; those receiving the most attention are Where are the application vulnerabilities in my software?, Where are my blind spots?, How do I communicate & demonstrate AppSec’s value to my management?, and Are we getting better at building in security over time?. Many metrics are used to successfully answer these questions, but one challenge stood out: there is no good way to measure AppSec risk. No one metric system dominated observed usage.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Davis, N.: Developing Secure Software. New York’s Software & Systems Process Improvement Network. New York, NY (2004)
2016 Data Breach Investigations Report. Verizon Enterprise
CISO AppSec Guide: Application Security Program – OWASP. https://www.owasp.org/index.php/CISO_AppSec_Guide:_Application_Security_Program
About the Building Security In Maturity Model. https://www.bsimm.com/about.html
OpenSAMM. http://www.opensamm.org/
Framework for Improving Critical Infrastructure Cybersecurity (2014). https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
McGraw, G., Migues, S., West, J.: BSIMM8 (2017). https://www.bsimm.com/download.html
Payne, S.: A Guide to Security Metrics (2006). https://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55
Sanders, B.: Security metrics: state of the Art and challenges. Inf. Trust Inst. Univ. Ill. (2009)
Miles, J., Gilbert, P.: A Handbook of Research Methods for Clinical and Health Psychology. Oxford University Press, Oxford (2005)
Application software (2018). https://en.wikipedia.org/w/index.php?title=Application_software&oldid=826560991
Steiner, G.A.: Strategic Planning. Simon and Schuster, New York (2010)
JP 5-0, Joint Planning (2017). http://www.jcs.mil/Doctrine/Joint-Doctrine-Pubs/5-0-Planning-Series/
Douglas, M.: Strategy and tactics are treated like champagne and two-buck-chuck (2015). https://prestonwillisblog.wordpress.com/2015/05/15/strategy-and-tactics-are-treated-like-champagne-and-two-buck-chuck/
Marrinan, J.: What’s the difference between a goal, objective, strategy, and tactic? (2014). http://www.commonbusiness.info/2014/09/whats-the-difference-between-a-goal-objective-strategy-and-tactic/
Basili, V.R., Caldiera, G., Rombach, H.D.: The goal question metric approach. Encycl. Softw. Eng. 2, 528–532 (1994)
ISO/IEC/IEEE 24765:2010(E) Systems and software engineering — Vocabulary (2010). https://www.iso.org/standard/50518.html
Allen, J.: How much security is enough (2009). https://resources.sei.cmu.edu/asset_files/WhitePaper/2013_019_001_295906.pdf
Young, B.: Measuring software security: defining security metrics (2015)
Crouhy, M., Galai, D., Mark, R.: The Essentials of Risk Management. McGraw-Hill, New York (2005)
Krebs, B.: What’s your security maturity level? (2015). https://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
Richardson, J., Bartol, N., Moss, M.: ISO/IEC 21827 Systems Security Engineering Capability Maturity Model (SSE-CMM) a process driven framework for assurance
Acohido, B., Sager, T.: Improving detection, prevention and response with security maturity modeling (2015). https://www.sans.org/reading-room/whitepapers/analyst/improving-detection-prevention-response-security-maturity-modeling-35985
Microsoft Security Development Lifecycle. https://www.microsoft.com/en-us/sdl/default.aspx
Olcott, J.: Cybersecurity: the new metrics (2016). https://www.bitsighttech.com/hubfs/eBooks/Cybersecurity_The_New_Metrics.pdf?t=1509031295345&utm_source=hs_automation&utm_medium=email&utm_content=37546190&_hsenc=p2ANqtz--m-crOcN48EycaIJFVXnHInTyc_LOO2aQWbl5YHXd3Fz34z7w0EfMptTs1_XnOGjEH_6jM_g6FUJUgAMYFSjV06QDmyQ&_hsmi=37546190
SP 800-53 Rev. 5 (DRAFT), Security and Privacy Controls for Information Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
Wichers, D.: Getting started with OWASP: the top 10, ASVS, and the guides. In: 13th Semi-Annual Software Assurance Forum, Gaithersburg, MD (2010)
Application Security & Development STIGs. https://iase.disa.mil/stigs/app-security/app-security/Pages/index.aspx
Jansen, W.: Directions in security metrics research (2009). http://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7564.pdf
Savola, R.: On the feasibility of utilizing security metrics in software-intensive systems. Int. J. Comput. Sci. Netw. Secur. 10, 230–239 (2010)
Hallgren, K.A.: Computing inter-rater reliability for observational data: an overview and tutorial. Tutor. Quant. Methods Psychol. 8, 23–34 (2012)
The 15-Minute, 7-Slide Security Presentation for Your Board of Directors. https://blogs.gartner.com/smarterwithgartner/the-15-minute-7-slide-security-presentation-for-your-board-of-directors/
Gaillard, J.C.: Cyber security: board of directors need to ask the real questions (2015). http://www.informationsecuritybuzz.com/articles/cyber-security-board-of-directors-need-to-ask-the-real-questions/
Risk (2018). https://en.wikipedia.org/w/index.php?title=Risk&oldid=824832006
Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. TISSEC. 5, 438–457 (2002)
Expected value (2018). https://en.wikipedia.org/w/index.php?title=Expected_value&oldid=826427336
Hoo, K.J.S.: How much is enough? A risk management approach to computer security. Stanford University Stanford, California (2000)
Schryen, G.: A fuzzy model for IT security investments (2010)
Böhme, R.: Security metrics and security investment models. In: IWSEC, pp. 10–24. Springer (2010)
Held, G.: Measuring end-to-end security. AppSecUSA 2017, Orlando, FL (2017)
Acknowledgements
This work was made possible by Secure Decisions, the Department of Homeland Security, and AppSec practitioners, many introduced to us by Code Dx, Inc. We would sincerely like to thank these practitioners for their time and candidness during the interviews; this work would have not been possible without their participation.
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Horn, C., D‘Amico, A. (2019). Measuring Application Security. In: Ahram, T., Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. AHFE 2018. Advances in Intelligent Systems and Computing, vol 782. Springer, Cham. https://doi.org/10.1007/978-3-319-94782-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-94782-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94781-5
Online ISBN: 978-3-319-94782-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)