[OWASP-METRICS] Attack surface

Mark Curphey mark at curphey.com
Sat Sep 25 12:20:17 EDT 2004


I have been pretty quiet for the last few months while I dealt with some personal things but am personally very interested in this topic. I haven't been able to attend any meetings but had a few questions ...

1. Is the intent to develop metrics for process or just technical issues? I am really interested in the results and trends such as "if certain processes are not followed then there is a 50% higher probability of certain defects" etc....

2. Has anyone looked at (published papers) using Six Sigma for process improvement with software ?

3. Anyone used any balanced scorecards ?


---- Adam Shostack <adam at reflectivecorp.com> wrote:
>
> (The Secret Service and CERT did a report on insiders.  Insiders tend  
> not to use technical exploits against the systems in their attacks.    
> http://www.secretservice.gov/ntac_its.shtml )
> 
> I think you raise a good point...attack surface ought to be measured at  
> multiple points, not just port 80 or 443.  There's an attack surface on  
> the RMI/RPC/SQL side of the web server, and the application has attack  
> surfaces on each host (and network) through to the backend.
> 
> Total application attack surface is a function of each segment's  
> surface.
> 
> 
> On Sep 23, 2004, at 1:35 PM, Mark Curphey wrote:
> 
> > There was work on this done by E&Y validating Microsofts RASQ model.
> >
> >   
> > http://uk.builder.com/whitepapers/0,39026692,60048795p 
> > -39000888q,00.htm
> >
> > As regards for the HTTP requests I keep coming back to the CSI report
> > each year that consistently reports over 60% of attacks are internal  
> > and
> > relating this back to my days at Schwab. The "serious" risk was not
> > through the front door but through the back door (no pun intended) or
> > side door (b2b). The side door was becoming HTTP thru web services but
> > the back door ranged from RMI, RPC, T-SQL and <insert choice here>....
> >
> > -----Original Message-----
> > From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
> > Sent: Thursday, September 16, 2004 4:29 PM
> > To: owasp-metrics at lists.sourceforge.net
> > Subject: [OWASP-METRICS] Attack surface
> >
> > Hi everyone. I keep reading articles that use the concept of "attack
> > surface" to describe how attackable an application actually is.  But
> > I've never seen the concept explored very deeply. For a web  
> > application,
> > it seems to me that the attack surface is strictly limited to the range
> > of allowed HTTP requests. Anyone interested in helping model this?
> > Seems to me that it shouldn't be too hard, would be really useful, and
> > is likely to be automatable.
> >
> > --Jeff
> >
> > Jeff Williams, CEO
> > Aspect Security, Inc.
> > http://www.aspectsecurity.com
> > work: 410-707-1487
> > main: 301-604-4882
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> > Project Admins to receive an Apple iPod Mini FREE for your judgement on
> > who ports your project to Linux PPC the best. Sponsored by IBM.
> > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> > _______________________________________________
> > OWASP-METRICS mailing list
> > OWASP-METRICS at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-metrics
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> > Project Admins to receive an Apple iPod Mini FREE for your judgement on
> > who ports your project to Linux PPC the best. Sponsored by IBM.
> > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> > _______________________________________________
> > OWASP-METRICS mailing list
> > OWASP-METRICS at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-metrics
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> OWASP-METRICS mailing list
> OWASP-METRICS at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-metrics
> 
> 




More information about the Owasp-metrics mailing list