Metrics needed to guide application security decisions

By Nitin Bharti, News Writer, and Michelle Davidson, Editor 01 Mar 2006 | SearchAppSecurity.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

Beyond the technical requirements and tools for application security, greater emphasis is being placed on risk management and mapping security risks to business goals.

While organizations like OWASP provide advice around Web application security threats and countermeasures, there is a greater need for standard metrics to assess vendor tooling as well as the business risks of a security strategy.

The Application Security Industry Consortium (AppSIC), which launched in December 2005, aims to fill that void by providing education on security metrics, methodologies and best practices.

Ed Adams, founder of AppSIC and CEO of Wilmington, Mass.-based Security Innovation, said companies are lacking that information to enable them to assess their own security and application security. Companies need metrics so they know what their return on investment is on security purchases, he said.

If you don't have the metrics, you don't know if you're getting more secure. Herbert Thompson chairman, AppSIC

"Software is not static -- it is constantly changing," added Herbert Thompson, chairman of AppSIC and chief security strategist at Security Innovation. "You can't just measure the executable; you need to measure the vendor."

By providing metrics on the vendor and its products, customers can better understand what they're getting and if it's worth their investment, Thompson said. "If you don't have the metrics, you don't know if you're getting more secure," he said.

Vendors are to some extent being asked to eat their own dog food when it comes to application security. One of AppSIC's deliverables is a list of 20 questions that end users are encouraged to ask their security vendor in order to assess risk and reliability associated with using a particular product.

"AppSIC's goals are to help companies select software and to help developers decide how to allocate their security budget," Thompson said. "But they need metrics to help them."

It doesn't stop with the initial purchase, Thompson added. You have software patches, and you have to measure the vendors' processes for handling them and working with customers. Then there's the compliance issue: How secure is that vendor's products? Who's liable if there's a breach?

"Compliance has changed the game," Thompson said. Vendors are used to selling functionality; however, insecure software not only provides "additional functionality" but also adds liability.

AppSIC's members are a mix of customers, analysts, and vendors, including Microsoft, SAP, ING, Compuware and Oracle. "We want to make sure the methodologies we come up with have representation from all cross-sections," Thompson said.

Tags: Building security into the SDLC (Software development life cycle),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary