Security Metrics the Intent of

Security Metrics The intent of this analysis is to provide insights into the most commonly used metrics of security performance that encompass the development, testing and use of Web-based applications in addition to their use in integrated, enterprise-wide deployments. Typically the greater the number of integration points throughout a given network, the greater the potential of the networks' security being compromised over time (Xiong, Perros, 2008).

As recent examples of Distributed Denial of Service (DDOS) attacks have shown on social networking sites Facebook and Twitter, the greater the complexity and level of integration throughout a given site or complex of sites and systems, the greater the need for Network Intrusion Detection Systems (NIDSs) that are managed according to the metrics in this paper (Su, Yu, Lin, 2009). Evaluating Security Metrics In the development of any Web-based application, the foundational elements of the application must be continually evaluated for security compliance even after it is delivered.

The following metrics apply to the security levels of distributed Web applications: XML Command Fidelity Index -- This measure the percentage of XML commands that reach their intended locations and support consistent levels of secured communication between application system components. Measured as a percentage against 100%, the higher the figure, the more fidelity and security there is in the XML command strings of the application.

CRC Packet Checking Ratio -- This will define the Cyclic Redundancy Checking (CRC) for a given TCP/IP packet that is transferred over the network and report back the percentage of time it reaches its destination. This metric can also be stratified by security level of see if there is a correlation of security performance by higher levels of encryption over time.

(%) of Application Source Code (Number of Lines) Run Through Security Gate Checks by Build -- This metric is run every time there is a new build of software to ensure that potential security of the overall application is not compromised during a specific build, and that it does not propagate through subsequent builds of the application. This is also used as a measure of software quality management to determine how effective security screening is during the actual development process.

(%) Cross Site Scripting (XSS) errors -- by far the most common strategy hackers use to gain access to the source code of websites and the databases supporting them is to use a technique called cross-site scripting (Brodkin, 2007). Actively monitoring the percentage of XSS errors over time can determine patterns of when hackers attempt to gain access to a website's source code, database links, pricing and e-commerce systems. This is one of the most often used metrics in security dashboards used for monitoring Web-based applications and multisite installations.

(%) Incidence and Trending of Buffer Overflow Injection Flaws -- This is most commonly associated with attempts to gain access to SQL databases supporting a website by forcing a buffer overflow condition (Brodkin, 2007). This is one of the most effective hacking strategies there are as it forces a system to fail and allow access.

(%) Authentication Soft and Hard Errors -- the most ubiquitous of metrics, this measures how many times passwords work or fail, and how their reset trending indicates that an automated set of code or a bot is attempting to gain literally hundreds of passwords for a system simultaneously (Brodkin, 2007). (%) Service Level Agreement (SLA) hard security faults on system performance -- All services companies who offering hosting offer.