[GPC] Fwd: OWASP Metrics Project

Brad Causey bradcausey at gmail.com
Thu Aug 6 16:42:01 EDT 2009


I'm good with it.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--


On Mon, Aug 3, 2009 at 9:03 AM, Jason Li <jason.li at owasp.org> wrote:

> All,
> I've been put into contact with Jeff Barto who is interested in
> contributing to the OWASP Application Security Metrics Project. The project
> was declared orphaned earlier. Jeff is willing to take up the leadership of
> this project. See Jeff's vision in the thread below.
>
> I'd like to add discussion of changing leaders to the agenda to tonight's
> meeting (http://www.owasp.org/index.php/GPC_Agenda_2009-08-03).
>
> -Jason
>
> ---------- Forwarded message ----------
> From: <Jeffrey.Barto at ubs.com>
> Date: Thu, Jul 30, 2009 at 4:52 PM
> Subject: RE: OWASP Metrics Project
> To: jason.li at owasp.org, peter.dean at owasp.org
> Cc: James.McGovern at thehartford.com, jbarto3 at sbcglobal.net
>
>
>  Hi Jason,
>
> I have given quite a bit of thought to this area and separate software
> metrics and security metrics with a bit of union between them.  Before we
> get started here are my main concepts around security metrics:
>
> 1.  Security Metrics are either a direct metric or an indirect metric based
> on the measurement criteria.  For instance # security flaws/module can be
> directly measured at a given point in time where the results are compared to
> known, mature data.  Indirect metrics are # security flaws/module that
> cannot be compared to known, mature data.
>
> 2.  All metrics must have a mathematical formula that is standard to
> compare to any data gathered.
>
> 3.  Metrics can be used to estimate exposure in predetermined categories if
> data is not mature.  This is Bayesian Inference.
>
> 4.  Metrics are useless without data gathering, classifications and
> repeatable processes/tools.
>
> 5.  Metrics must be formula based or logically based.  For instance a
> logically based metric would look like - # security flaws X <estimated new,
> undiscovered flaws> / average # of flaws found in the same application
> category.  Since estimated new, undiscovered flaws is a prediction.  This
> metric would then provide a probability density function for each
> application category.
>
> 6.  Metrics work on top of data and need statistics and probability to be
> used effectively.
>
> This is a bit of a shift from what the current site discusses, if you are
> game I will lead.
>
> Regards,
>
> Jeff
>
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090806/7a7e2ade/attachment.html 


More information about the Global-projects-committee mailing list