A Metrics Framework to Drive Application Security Improvement

Web applications\´ functionality and user base have evolved along with the threat landscape. Although controls such as network firewalls are essential, they\´re wholly insufficient for providing overall Web application security. They provide security for underlying hosts and a means of communication, but do little to aid the application resist attack against its software implementation or design. Enterprises must therefore focus on the security of the Web application itself. But in doing so, questions immediately arise: "What could go wrong with my software? How vulnerable are my existing applications to the most common problems? What changes to my software development life cycle might affect these vulnerabilities?" The Open Web Application Security Project (OWASP; www.owa sp.org) Top Ten offers a starting point for figuring out what could go wrong. This installment of Building Security In presents metrics that can help quantify the impact that process changes in one life-cycle phase have on other phases. For the purposes of this short discussion, we\´ve broken an applications life cycle into three main phases: design, deployment, and runtime. By organizing metrics according to life cycle in addition to OWASP type, insight from the derived quantitative results can potentially point to defective processes and even suggest strategies for improvement