Education Level: Intermediate

ST04 - Measuring the Cybersecurity of Software

Monday, September 25
2:45 PM - 3:15 PM

Recent security breaches such as the ones at SWIFT, Target, and Anthem are entering the realm of nine-digit defects, where damages can exceed $100 million. Today, security of business applications a top boardroom issue. Advances in software analysis technology enable IT to detect weaknesses in the source code that can be exploited to gain unauthorized entry. Both the Software Engineering Institute and CAST have recently found that weaknesses causing reliability problems can in many cases be exploited for unauthorized entry, indicating that poor quality code is also insecure code.

The Consortium for IT Software Quality (CISQ) is chartered by its industry sponsors to create automatable measures of software size and quality. CISQ measures include standards recently approved by the Object Management Group for Automated Function Points, Reliability, Security. Performance Efficiency, and Maintainability. The four quality measures are based on definitions of these attributes in ISO 25010 and provide source code level measures that supplement the largely behavioral measures in ISO 25023. In particular, the Security measure is based on measuring 22 of the top Common Weakness Enumerations (i.e., CWE/SANS Institute Top 25 most dangerous software errors, OWASP Top 10) that can be detected through static analysis. These weaknesses include well-known culprits such as SQL injection, buffer overflows, and cross-site scripting. This measure provides an accurate estimate of the likelihood that an attacker can find an exploitable weakness in an application.

The continuing flow of breaches exploiting SQL injection, a weakness known since the late 1990s, suggests that IT needs a major undertaking similar to the Y2K endeavor to rid source code of the most easily exploited weaknesses. Executives both in and outside IT need to assess the cybersecurity risk of their systems using measures such the CISQ standards and enforce remedial actions based on them.

Learning Objectives:

Lev Lesokhin

EVP Strategy and Analytics
CAST

Lev Lesokhin is responsible for strategy, cyber resilience policy, and analytics research activities for CAST, the global leader in software analytics and risk prevention. He serves on the boards of the Consortium for IT Software Quality and the TMMI Foundation, and appears in such media as the BBC, Bloomberg, CBS, The Times, and CNBC.

Lev has many years of direct experience as a developer and manager of application development teams, and managed large client relationships for a regional Systems Integrator. Prior to CAST, Lev was at SAP, where he helped launch SAP’s first SaaS products. He also served as a consultant at McKinsey & Company, dealing with issues of business strategy, IT management, governance, metrics and outsourcing. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute, and an MBA from the MIT Sloan School of Management.

Presentation(s):

Send Email for Lev Lesokhin


Assets

ST04 - Measuring the Cybersecurity of Software



Attendees who have favorited this

Please enter your access key

The asset you are trying to access is locked. Please enter your access key to unlock.

Send Email for Measuring the Cybersecurity of Software