Metrics for Security Testing Programs

By Paladion

December 4, 2007

What metrics best capture the progress of Enterprise-wide Security Testing programs? Here are four of our favorites:
1. Number of Apps tested
This shows how quickly the enterprise's apps are enrolled in the testing program. Keep track of both the number of apps tested, as well as the number of tests done each month. The first should grow continuously until all apps are enrolled for testing. The second shows the level of testing activity - expect it to rise sharply initially and then stay at a lower rate once most apps complete 2 rounds of testing.
2. Apps with High Risk Findings
What fraction of the apps tested have high risk findings? This gives top management a high level view of how secure the enterprise's applications are. In the early days of any application security program, the red line will closely follow the blue. As fixes are implemented, and development practices are improved, the red starts dropping off. The goal of course, is to send that red line to zero.
3. Findings per Application
The average number of findings is another high level metric. Recorded over time, it tells you how rapidly the organization is tightening application security. The drop in the first 6-12 months after a testing program is initiated usually come from fixing the holes discovered in testing. After that, the drops usually come from more fundamental improvements in the software development process.
4. Number of Findings Closed
This tells you the rate at which developers are fixing security bugs - steeper the curve, the better it is. Management should question what's going on if those bars drop in any month (like in October in the sample graph).

Tags: Uncategorized