Professional Documents
Culture Documents
2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Proceedings
Understand the need for Identify essential KPIs, Applying the 5 Essential A practical example of
business-level intelligence their definitions, KPIs to Enterprise real-life application of KPIs
components Programs
2
Background
Metrics, KPIs, and Information Security
3
Security Metrics Primer
INFORMATION SECURITY HAS HAD A ROUGH RELATIONSHIP WITH
METRICS
4
Information Security hasnt capitalized on
available metrics can KPIs save the
day?
5
KPI Primer
6
KPI Primer
7
Business vs. IT Goals
8
Business thinks in terms of risk.
Risk is bad, seen in shades of gray.
Mindset reset
9
Tough Questions
10
Enterprise Application Security Program
Challenges
Challenges
Get funded Justify required resources
Find vulnerabilities Bugs in business critical apps
Removing defects Decrease risks with a budget
Proving success How do you prove success?
Resources
Security vulnerability metrics
Application registries
Defect tracking systems
Data from tools, human testing
11
Essential KPIs
Proving Success with Advanced Metrics
12
The 5 Key Performance Indicators (KPIs)
13
KPI #1 Weighted Risk Trend
Maturity Rank: 1
Requirements
Web application registry with business-level criticality assigned
*Pull business criticality rating from DR documents
Vetted web applications security defects by criticality level
Mathematic plot capability
14
KPI #2 Defect Remediation Window
Maturity Rank: 2
The length of time from when a vetted web application security defect is
identified until it is verified closed.
Man-Hours
50
40
30
20
10
0
Requirements 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
15
KPI #3 Rate of Defect Recurrence
Maturity Rank: 3
The rate, over time, at which previously closed web application security
defects are re-introduced into a given application, organization, or other
logical unit.
Recurring Defects
15
10
Requirements 5
0
Advanced defect tracking system 1 2 3 4 5 6 7 8 9 10
16
KPI #4 Specific Coverage Metric
Maturity Rank: 4
Requirements
Method for measuring total application surface (UI, API, code-level
coverage methods) plus *advanced application discovery tools
Advanced security testing capabilities using flow-based, data-driven
methodology for completeness
Integration with Quality Assurance for functional specification coverage
17
KPI #5 Security to Quality Defect Ratio
Maturity Rank: 4
The ratio of security defects to the total number of software quality defects
being generated (functional + performance + security).
Ds
Formula: Ds = Total Security defects; Dt = Total Overall Quality
defects Dt
Requirements
Mature defect reporting system (tracking combined quality defects)
Security as a quality defect
Performance as a quality defect
Functional (+related) as a quality defect
19
KPI Facts
20
Applications
Applying the KPIs
21
Applying KPIs to Web Application
Security Programs
What You Have What You Want
Failures of Common Metrics
23
When Metrics Arent Enough
Unify testing
methodologies
24
Practical
Real-life KPI use-case
25
Example Application
the large financial
Current Situation Complaints
26
Example Application
the large financial
Applied KPI Weighted Risk Trend (WRT)
Application registry + business ranking to prioritize application testing
Business context to go/no-go decisions for critical defects
Demonstrate risk reduction in business-critical applications over time
Demonstrate program spend effectiveness
27
350
200
150
100
50
0
28
1 2 3 4 5 6 7 8 9 10 11 12
350
200
ERP
Retail
150 Marketing
100
50
0
29
1 2 3 4 5 6 7 8 9 10 11 12
Example Application
the large financial
30
Data is raw information
Metrics are refined data
KPIs are metrics with business-context
31
The 5 Key Performance Indicators (KPIs)
KPIs are the difference between technical data points, and the
actionable intelligence that information security needs.
32
Rafal Los - Security Evangelist, HP
Twitter: Twitter.com/Wh1t3Rabbit
Blog: HP.com/go/White-Rabbit
33