> On Jul 28, 2016, at 4:29 PM, Damianos Metallidis <[email protected]> > wrote: > > The overview / description of the intention of my work is based on an open > source metric-based monitoring tool called prometheus(https://prometheus.io). > Metrics that i am already gathering has to do with response times,throughput, > availability, accessibility etc. I have also declared metrics based on > authorization where i report whenever i have successful or failure > authentications. > > Giving a second thought on the implementation of security metrics i have > decided to follow a more generic way and define metrics like: Mean Time of > Incident Recovery, percent of software components without known severe > vulnerabilities etc. > As i am in the interest of a developing monitoring solution (which > implements aggregations and computation formulas on a seconds step) i assume > that values like the breaching of accessing (in the fortress > application/service in our situation) or the improper modification of objects > should be given by a third party security system tool. That said, having this > information i could perform the right aggregations that i have defined. > > My role is to observe and give statistics about how the system is safe (in > case of the security property (as i deal with performance also)) and not to > develop let's say an intrusion detection system. > I would be glad to here your opinion about.
Still trying to understand. The goal of your efforts will be a report outlining these statistics? Or to create / configure another software component (i.e. prometheus), to be capable of producing these data points, about other products, such as fortress? Thanks, Shawn
