Application Security Program Metrics

Manage your AppSec efforts with insightful metrics.

Organizations Lack Insight into Their AppSec Efforts

Most organizations lack insight into how their application security efforts are influencing and helping them achieve their business objectives. In many cases, they don’t have any data or metrics available to them at all. At NetSPI, we help our clients define metrics that can easily be automated leveraging existing business processes and raw data, and provide necessary business context to make effective business decisions.

Gain Business Insight

In order to effectively manage your organization’s application security efforts, the right metrics are key. Proper metrics allow you to articulate the application security program’s value to your organization’s executive team and board. Being able to properly evangelize the value of your application security efforts makes it easier to procure funding and improve the security risk posture of your organization from an application security perspective. Understanding the data at hand to be able to answer business contextualized questions allow for better strategic decision making.

Ultimately, having access to the proper metrics helps answer questions around if your organization is doing the right things and focusing application security efforts correctly. The metrics also help to determine if you are doing enough or focusing too much or too little on certain areas.

Start with defining the risk management objectives.

Ask the appropriate questions about managing risk.

Answer the questions with data based on your AppSec efforts.

Ask and Answer the “Right” Questions

It’s common for executives in organizations to ask the wrong questions, and the answers to those questions in many cases are misleading or don’t exist.

“Wrong” Questions

How does our vulnerability count compare to our competitors?

  • Data to answer questions like this is often unavailable.
  • It’s hard to compare apples to apples (e.g. your competitor may be performing static analysis, while your organization performs penetration testing).

What is our average time to recover from a security incident?

  • This is something that’s usually out of the application security team’s control.
  • The time to recover depends and varies greatly based on the actual incident.

“Right” Questions

Gathering the right data and having access to the applicable metrics allows organizations to answer better questions, including:

We invested a significant amount of money in the AppSec program

  • What is the impact on our organization’s risk posture?
  • What value are we getting on our investment?
  • What areas of our business need immediate application security focus?
  • How well are we meeting our compliance requirements?

AppSec Capabilities Drive AppSec Metrics Maturity

Building AppSec metrics needs to be done in multiple phases. In reality, the maturity of your application security program’s capabilities will drive the nature and maturity of the AppSec metrics that you can gather and leverage to answer appropriate questions around application security.

How Mature Are our Program’s Capabilities?

Phases of Metrics Development
Plan Definition
  • Identify most business appropriate measurements
  • Map to application security goals
  • Leverage benchmarking data
    Define KPIs and KRIs
Data Source
  • Determine appropriate data sources
  • Automate data collection from existing processes and tools
  • Monitor progress/improvements
Contextualization
  • Create visualizations from raw data
  • Build business context around available data
  • Make informed, actionable and measurable business decisions

Manage Application Security Efforts with Confidence

We will help in your journey to manage your AppSec efforts using metrics to determine effectiveness and areas needing additional focus and implement changes to optimally invest in your AppSec efforts. Our objective is to show you how to effectively build and leverage metrics that are appropriate for your business needs to answer the right questions.

Metrics will help you determine:

  • Your effectiveness in protecting your crown jewels
  • Your adherence to regulatory and compliance pressures
  • Your capability to detect AppSec incidents
  • Your business areas needing AppSec focus
  • Your ability to adhere to applicable SLAs
  • Your highest risk business functions

Metrics will help you track:

  • Penetration testing coverage by application/asset
  • Ratio of open to remediated vulnerabilities
  • Costs related to remediation efforts
  • Percentage of applications meeting compliance needs
  • Resources being allocated to perform security testing
  • Security vulnerabilities reaching production
  • Assets that require additional testing
  • Cost of building a secure application

Pentesting Research and Tools

Learn about penetration testing on our blog, our open source penetration testing toolsets for the infosec community, and our SQL injection wiki.