2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Proceedings
Background
Essential KPIs
Applications
Practical
A practical example of
real-life application of KPIs
Background
Metrics, KPIs, and Information Security
KPI Primer
KPI Primer
What are
Business
Goals?
Mindset reset
9
Tough Questions
Will it be possible to perform an
analysis of 100% of enterprise
web applications?
Will a zero vulnerability metric be
reachable, practical or even
desirable?
Is vulnerability reduction the same
as risk reduction?
10
Resources
Security vulnerability metrics
Application registries
Essential KPIs
Proving Success with Advanced Metrics
12
Requirements
Web application registry with business-level criticality assigned
*Pull business criticality rating from DR documents
Requirements
50
40
30
20
10
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
15
10
Requirements
Advanced defect tracking system
0
1
10
Ds
Formula:
defects Dt
Requirements
Mature defect reporting system (tracking combined quality defects)
KPI Facts
KPI: WRT
KPI: DRW
KPI: RDR
Reappearing defects
measure internal
development confusion
Critical = 10
High = 5
Medium = 2
Low = 1
Application business
criticality must be rigidly
defined
19
Business critical
Critical
Important
KPI Facts
KPI: SCM
KPI: SQR
Final step in
organizational maturity
with respect to security
testing
Most organizations
cannot identify even
known attack surface
coverage
Flow-driven & data-driven
methodology is required
to fully test known attack
surface
Exploratory testing
required to discover
unknown functionality
20
Demonstrates security
adoption as a component
of overall software quality
Applications
Applying the KPIs
21
Failure Mode(s)
Options?
1. Number of
vulnerabilities found
1. So what? No
context!
Business Context.
2. Number of pages
scanned/tested
2. So what? Do
pages matter?
3. Critical
vulnerabilities found
3. Business-critical? Or
IT-critical? Or?
4. Critical
vulnerabilities fixed
4. Business-critical? Or
IT-critical? Or?
23
KPIs Answer
Remove subjectivity of
metrics by providing
business context
Practical
Real-life KPI use-case
25
Example Application
the large financial
Current Situation
Complaints
1,500 web
applications
26
Example Application
the large financial
Applied KPI Weighted Risk Trend (WRT)
Application registry + business ranking to prioritize application testing
Business context to go/no-go decisions for critical defects
Demonstrate risk reduction in business-critical applications over time
Demonstrate program spend effectiveness
350
300
More vulnerabilities =
more risk?
250
200
150
100
50
0
28
10
11
12
350
300
App criticality +
defects = more risk
250
200
ERP
Retail
Marketing
150
100
50
0
29
10
11
12
Example Application
the large financial
KPIs mean measurable gains
Break the security silo
30
31
KPIs are the difference between technical data points, and the
actionable intelligence that information security needs.
32
Rafal Los
Email: Rafal@HP.com
Security Evangelist, HP
Direct: +1 (404) 606-6056
Twitter: Twitter.com/Wh1t3Rabbit
Blog: HP.com/go/White-Rabbit
33