[Owasp-leaders] Metrics

Sethi, Rohit rohit at securitycompass.com
Mon Nov 29 17:08:04 EST 2010

James, I think this is what the “Centralized Security Configuration Options” requirement is trying to capture (to some extent): http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto#Centralized_Security_Configuration_Options

Maybe we can focus on practical ways to refine that?

Rohit Sethi
Director, Professional Services
Security Compass
Twitter: rksethi

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Tony UV
Sent: Monday, November 29, 2010 4:56 PM
To: owasp-leaders at lists.owasp.org
Cc: 'James McGovern'
Subject: Re: [Owasp-leaders] Metrics


I think this is a great idea and I would love to help.  Long overdue.  I do think that a common baseline is needed or simply an agreement on what existing baseline of x, y, z consists of is needed.  Whether x = CVSS for vuln rating, and y = FIPS 199 (HIGH, MOD, LOW) for impact analysis, and so on, I think we need to see what existing baseline of measurement criteria is out there for respective security disciplines (security incident monitoring, pen testing, web application testing (dyn/ static analysis), etc, before creating an amalgamation of source information.


I looked at your presentation and saw your email.  I couldn’t marry what your response on data labeling how to do with security metrics outside of the fact that in order for metrics to be applied, proper labels or categories of infosec info needs to be defined, but I couldn’t tell if your research spoke against or for this in general.


Tony UcedaVelez, CISM, CISA, GSEC
Chapter Lead
OWASP Atlanta
Twitter: @versprite

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Monday, November 29, 2010 2:36 PM
To: owasp-leaders at lists.owasp.org
Cc: James McGovern
Subject: Re: [Owasp-leaders] Metrics

Hi James,

I studied a number of different labeling regimes and presented the results at OWASP AppSec DC 2010.  Here are the slides and what I intended to say is in the notes.


The key finding from my research is that the content of the label doesn’t really matter that much. Even though it seems like the point is to inform the consumer, that doesn’t work very well.  Actually what you end up doing is affecting the producers.  Which is probably what we wanted to achieve in the first place.

You can try my “Security Facts” label generating software at:


Have fun!


Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
Sent: Monday, November 29, 2010 2:02 PM
To: owasp-leaders at lists.owasp.org
Cc: Rohit Sethi
Subject: [Owasp-leaders] Metrics

Monday Thoughts.  We are great at capturing metrics around activities (number of incidents), money (security budgets) and even innovative ways to count things (CWE, CVE, etc) yet security still isn’t “visible” to the masses.  Jeff Williams and the Rugged crowd, threw out the idea of software ingredients. Should we attempt to capture that notion as part of Rohit’s Web Application Security Framework Manifesto where the protections are more of the ingredients than things such as weaknesses?

If you are a baseball fan (I am not), there is a popular book named MoneyBall where they have figured out how to measure/model the performance of baseball players which aided in creating market efficiencies. This was huge for baseball and I believe that infosec needs the equivalent. Is there merit in the metrics project figuring out how to build a data warehouse (think data.gov) that everyone could query to understand their security posture? It could contain products, vulnerabilities, weaknesses, ingredients, etc. We could even figure out a novel way of including the “findings” format that Dinis Cruz often leverages to discover new insights.

James McGovern
Insurance SBU
Virtusa Corporation
100 Northfield Drive, Suite 305 | Windsor, CT | 06095
Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
[cid:image001.jpg at 01CB8FE7.FC96F500]<http://www.virtusa.com/> [cid:image002.gif at 01CB8FE7.FC96F500] <http://www.virtusa.com/blog/>  [cid:image003.gif at 01CB8FE7.FC96F500] <https://twitter.com/VirtusaCorp>  [cid:image004.gif at 01CB8FE7.FC96F500] <http://www.linkedin.com/companies/virtusa>  [cid:image005.gif at 01CB8FE7.FC96F500] <http://www.facebook.com/VirtusaCorp>

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101129/00ffaa9f/attachment-0007.gif 

More information about the OWASP-Leaders mailing list