It’s All in the Numbers: Decoding AppSec

Mark Lambert
May 3, 2022

“Metrics may not help you prevent an attack, but they will, over time, contribute to your organization’s overall security health.” — The Purple Book, Chapter 8

Digital and business transformation have always been at the heart of an organization. But in 2020 the pandemic pushed them to the top of the priority list for businesses. In a 2021 survey by Capital One, 85% of participants had shifted to being cloud-native and 86% had implemented containers for application development.

With more automation, APIs, containers, and enterprises building their own mobile apps, it’s imperative that businesses tighten up their boots and shift the focus to code and not just AppSec. Encouragingly, it appears that they are doing just that.

AppSec is an integral part of DevSecOps

One of the ways this is happening is through Application Security Testing (AST) with better pen tests and tools that will form the framework for threat models, which developers can use even as they begin building an app. According to Gartner, AST is now driven by organizations adopting a DevSecOps approach, which requires meshing AST tools early in the development cycle.

Traditionally, AppSec has relied on tooling while DevSecOps is centered around process and governance implemented with automation. By adopting the DevSecOps approach companies can strengthen and stabilize their SDLC and CI/CD pipelines to deliver a holistically secure, fortified app.

Metrics for success

Tracking certain key metrics allows us to quantify progress, and demonstrate the value of implementing AppSec programs and a DevSecOps approach, be it to developers or to leadership. 

But what metrics should you measure? 

The metrics framework needs to be built keeping many factors like your organization’s current state of security, industry, business objectives, and audience in mind for acquiring deeper and more accurate insights. The first step is to build a policy and establish a standard that holds security up to compliance. 

These standards should have criteria that will enable data to be measured in numbers, and can be easily accessed and measured consistently.

Some of the key metrics to measure would be: 

  • Track legacy applications and the percentage to which they are secure
  • The time currently taken to resolve critical issues
  • The extent of vulnerability distribution and types
  • Number of security incidents  
  • Third party data flow and privacy

Suresh Chandra Bose, a lead assessor from the TMMi Foundation lists 6 key DevSecOps metrics to optimize AppSec outcomes.

  1. Reduced total security tickets opened
  2. Reduced time-to-deploy
  3. Discovery of pre-production vulnerabilities
  4. Reduced time-to-remediate
  5. Percentage of security audits passed
  6. Reducing failed security tests

“Measurement is the first step that leads to control and eventually to improvement” — H. James Harrington

DevSecOps, as you can see, is an integral part of enhancing AppSec maturity enabling a secure evolution for your business. The Purple Book Community can help you get started.

What is the Purple Book Community?

What is the Purple Book Community?

The challenges that DevSecOps pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about. 

The Purple Book Community comprises top security thought leaders and practitioners. Initially, it brought together 29 industry experts together to write a comprehensive book about DevSecOps, AppSec, and product security concerns, best practices, and case studies. This book will be offered free of charge for the benefit of the broader community.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to help businesses steadily add robust layers of security by adopting DevSecOps. It helps companies build the case for stronger security capabilities by learning from practitioners who have been there and done that. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

The Purple Book Community acts as your support system and guide as you figure out your business framework and implement those key processes to fulfill the promises of DevSecOps.

Participate in the community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. To know the latest updates and participate in events, check out the community’s LinkedIn page.

Chief Product Officer, ArmorCode