Octotrike.org
Home Docs Tools Papers Talks Contact
¤ MiniMetricon 3.5 Presentation
Attack Resistance Score

Brenda will present a candidate scale to use for direct measurement of the security of a product: direct as opposed to indirect indicators like security defect count, percentage of developers who have received secure coding training, or code complexity; measurement as opposed to qualitative analysis; product as opposed to operation or organization.

The units of attack resistance score are seconds (sort of) required to get from one set of privileges to another using the system, not including exploit development or system discovery time. Interesting starting & ending privileges would presumably come from the system's security objectives.

The system is analogous to a resistor network, with the connection points being privileges and the resistance unit being time. The time to traverse each resistor (intentional or not) can be estimated at design time, then measured in deployment. Graph traversal algorithms and standard electrical engineering equations can be used to compute the attack resistance score for any given security goal.

Brenda will cover how an attack resistance score is calculated and why this could be a reasonable way to calculate it, prerequisites for widespread use and usefulness of this metric, known limitations, and anticipated uses. She will also list a few of the many other related metrics that are possible using this analogy.

The attack resistance score concept is under active development by the Trike team and will be part of the v2 release.

Slides

Attack Resistance Score



Octopus

News

31 Jul 2012
Brenda Larcom will be presenting a half-day tutorial on using the current Trike spreadsheet to write security objectives at IEEE RE 2012, September 25 in Chicago, IL.

1 Jul 2012
First official spreadsheet release, 1.5.06.

1 Jul 2012
New SVN and web site organization to support parallel development of the standalone and spreadsheet tools.

Thanks

SourceForge.net Logo

Copyright 2004-2008 Brenda Larcom, Eleanor Saitta, and Stephanie Smith. Copyright 2009-2012 Brenda Larcom and Eleanor Saitta. All rights reserved.