16 November 2010

Application Security Metrics v1.1

The Center for Internet Security (CIS) has announced and published an update (v1.1.0) to the Consensus Security Metrics; I discussed the previous version (v1.0.0) last year. As with the previous version, the aim of the document is to allow organisations to collect, analyse and share data on security performance and outcomes.

Partial view of the front cover of 'Consensus Information Security Metrics v1.1.0, 1st November 2010' by Center for Internet Security (CIS)

This version has no new Application Security metrics, but additional collection data attributes have been defined for technologies, business applications including status, risk assessments, security testing and completely new attributes for the current mitigation status of weaknesses discovered. There is also a new diagram showing the relationship between the various data attributes.

As mentioned above, the actual metrics are essentially unchanged, although the table for "Number of Applications" appears to be missing in the new document, and "Security Testing Coverage" is included but omitted from the contents list.

The Consensus Security Metrics includes more than suggested metrics for Application Security—there are a range of management, operational and technical metrics for Incident Management, Vulnerability Management, Patch Management, Configuration Management, Change Management and Financial Metrics. A new Quick Start Guide has also been produced by CIS to help organisations understand and implement the metrics. The document is a good if you are considering the introduction of security metrics, but be aware that metrics have a tendency to distort normal behaviour, especially if they have an affect on people's performance measurement too. Do remember to read "Security Metrics - Replacing Fear, Uncertainty, and Doubt" (ISBN: 0321349989) by Andrew Jaquith—he has a refreshing viewpoint on security metrics. Also see the information and resources at http://www.securitymetrics.org and https://www.metricscenter.net/.

As a related note, at last week's AppSec Washington DC 2010, Rafal Los presented a passionate suggestion for Five KPIs for Web Application Security Programs, which he had previously announced in a webcast in October. There was plenty of discussion at AppSec DC about these and it will be interesting to see how they firm up, and whether they can be incorporated into the CIS Consensus Security Metrics.

Posted on: 16 November 2010 at 12:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Application Security Metrics v1.1
http://www.clerkendweller.com/2010/11/16/Application-Security-Metrics-v11
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/11/16/Application-Security-Metrics-v11
Requested by 38.107.179.221 on Thursday, 17 May 2012 at 22:06 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com