The Book
Membership
Explore MembershipGlobal Expansion Program
AppSecConS3M2Journey to AppSec Maturity
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Resources
PodcastsBlogsState of AppSec 2023
Contact Us
The Book
Membership
Explore Membership
Global Expansion Program
AppSecCon
S3M2
Journey to AppSec Maturity
Events
Resources
Contact Us

Security Metrics That Make a Difference

By 
Tanya Janca
,
and
September 20, 2022

With the growing digitalization of our lives, AppSec becomes increasingly important to ensure the security of applications against potential attacks and threats in this data-driven world. 

Security metrics provide a measurable way to track the effectiveness of AppSec practices employed to help you achieve your security goals.

Vanity Metrics vs Value Metrics

There are multiple variables to keep track of, and it can get a bit overwhelming. The most important step is to steer clear of vanity metrics that look good on the surface but don’t translate into meaningful insights. 

For example, merely tracking the number of vulnerabilities detected can be a misleading vanity metric that ultimately may not reveal the types of vulnerabilities your system misses out on. 

On the other hand, tracking the number of new vulnerabilities detected is a value metric that can help dev teams optimize their software updates and fixes. In this way, value metrics truly provide actionable, tangible information to help you track and reach your goals.

How do metrics help reach security goals?

Setting measurable security goals and figuring out the steps needed to accomplish them are essential. Security metrics will help you develop a streamlined AppSec approach to effectively channel your team’s resources. At the same time, they also help improve your coding and troubleshooting practices to enable your team to achieve your security goals.

Let’s look at some of the key security metrics to track.

Important security metrics to track

Mean Time to Detection

Mean Time to Detection (MTD) is the average time it takes to detect vulnerabilities. Can you detect vulnerabilities in a matter of minutes or does it take a couple of years? A shorter MTTD proves that your diagnostic methods are effective and helps keep your app secure.

Mean Time to Response/Remediate

Mean Time to Response/Remediate is a metric that tracks the period from when the vulnerability was detected to when it got fixed. The quicker your team can resolve vulnerabilities, the more secure your apps will be.

Average number of vulnerabilities per system or app

This metric provides a macroscopic perspective on the robustness of your AppSec practices. While detecting and fixing vulnerabilities is a constant process, a lower average number of vulnerabilities per system/app equates to a higher level of security.

Types of vulnerabilities found

Each type of vulnerability represents a different way a system can be exploited. The AppSec team needs to carefully monitor the types of vulnerabilities found to optimize their diagnostic process and coding efforts according to the vulnerability type in question.

New vulnerabilities detected

The cyclic process of application development and updates comes with the downside of increasing vulnerabilities. It can be challenging to deal with these new vulnerabilities while still fixing old ones. New vulnerabilities detected is a key AppSec metric that helps the team monitor risks and makes the new application version more secure.

High-value AppSec goals

Without the right goals, your security metrics will not yield optimal results. Your AppSec team needs to set high-value goals and use the right metrics to improve their performance to achieve these goals. Some key security goals could be:

Bug type eradication

Your AppSec team could focus on eliminating a specific bug type by optimizing the code and tracking vulnerabilities using metrics.

Increasing time between security incidents

A security incident puts the whole AppSec team under high pressure, as it is essential to minimize potential damage by resolving the incident as soon as possible. A longer time between security incidents not only helps ease the staff’s workload but is also a healthy indicator of the effectiveness of your security measures.

Applications compliant with your policy

Compliance is an integral part of AppSec, and using the right metrics can help your team keep your applications compliant with relevant organizational and governmental policies, and keep leadership and stakeholders happy.

Tracking metrics to work towards a secure future

With the rise of Fintech and SaaS industries, it is crucial for applications and systems to become more secure. Without actionable metrics to quantifiably measure progress, security efforts will remain unfocused and ineffective at best. 

Choosing the right metrics helps optimize your AppSec team’s protocols and practices towards eliminating vulnerabilities and creating more secure apps in the future.

Tanya Janca
Founder & CEO at We Hack Purple Academy
Uniting security leaders and practitioners on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
Membership
Podcasts
Blogs
Events
Past Events
AppSecCon New York Reception
AppSecCon Austin Reception
AppSecCon  Santa Clara Reception
Mumbai Chapter
Atlanta Chapter
Bengaluru Chapter
Davos Dialogue
Resources
Contact Us
Copyright © Powered By ArmorCode Inc.
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.