[GPC] Fwd: OWASP Metrics Project

Jason Li jason.li at owasp.org
Mon Aug 3 10:03:52 EDT 2009


All,
I've been put into contact with Jeff Barto who is interested in contributing
to the OWASP Application Security Metrics Project. The project was declared
orphaned earlier. Jeff is willing to take up the leadership of this project.
See Jeff's vision in the thread below.

I'd like to add discussion of changing leaders to the agenda to tonight's
meeting (http://www.owasp.org/index.php/GPC_Agenda_2009-08-03).

-Jason

---------- Forwarded message ----------
From: <Jeffrey.Barto at ubs.com>
Date: Thu, Jul 30, 2009 at 4:52 PM
Subject: RE: OWASP Metrics Project
To: jason.li at owasp.org, peter.dean at owasp.org
Cc: James.McGovern at thehartford.com, jbarto3 at sbcglobal.net


 Hi Jason,

I have given quite a bit of thought to this area and separate software
metrics and security metrics with a bit of union between them.  Before we
get started here are my main concepts around security metrics:

1.  Security Metrics are either a direct metric or an indirect metric based
on the measurement criteria.  For instance # security flaws/module can be
directly measured at a given point in time where the results are compared to
known, mature data.  Indirect metrics are # security flaws/module that
cannot be compared to known, mature data.

2.  All metrics must have a mathematical formula that is standard to compare
to any data gathered.

3.  Metrics can be used to estimate exposure in predetermined categories if
data is not mature.  This is Bayesian Inference.

4.  Metrics are useless without data gathering, classifications and
repeatable processes/tools.

5.  Metrics must be formula based or logically based.  For instance a
logically based metric would look like - # security flaws X <estimated new,
undiscovered flaws> / average # of flaws found in the same application
category.  Since estimated new, undiscovered flaws is a prediction.  This
metric would then provide a probability density function for each
application category.

6.  Metrics work on top of data and need statistics and probability to be
used effectively.

This is a bit of a shift from what the current site discusses, if you are
game I will lead.

Regards,

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090803/7f561ac6/attachment.html 


More information about the Global-projects-committee mailing list