Metrics for Security Testing Programs

Paladion
By Paladion

December 4, 2007

What metrics best capture the progress of Enterprise-wide Security Testing programs? Here are four of our favorites:
1. Number of Apps tested
AppsTested.gif
This shows how quickly the enterprise's apps are enrolled in the testing program. Keep track of both the number of apps tested, as well as the number of tests done each month. The first should grow continuously until all apps are enrolled for testing. The second shows the level of testing activity - expect it to rise sharply initially and then stay at a lower rate once most apps complete 2 rounds of testing.
2. Apps with High Risk Findings
AppsWithHighRiskFindings.gif
What fraction of the apps tested have high risk findings? This gives top management a high level view of how secure the enterprise's applications are. In the early days of any application security program, the red line will closely follow the blue. As fixes are implemented, and development practices are improved, the red starts dropping off. The goal of course, is to send that red line to zero.
3. Findings per Application
FindingsPerApp.gif
The average number of findings is another high level metric. Recorded over time, it tells you how rapidly the organization is tightening application security. The drop in the first 6-12 months after a testing program is initiated usually come from fixing the holes discovered in testing. After that, the drops usually come from more fundamental improvements in the software development process.
4. Number of Findings Closed
FindingsClosed.gif
This tells you the rate at which developers are fixing security bugs - steeper the curve, the better it is. Management should question what's going on if those bars drop in any month (like in October in the sample graph).


Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset