Model | Governance | Strategy and Metrics | Measure and Improve
Benefit
Basic insights into your AppSec program’s effectiveness and efficiency
Activity
Define and document metrics to evaluate the effectiveness and efficiency of the application security program. This way improvements are measurable and you can use them to secure future support and funding for the program. Considering the dynamic nature of most development environments, metrics should be comprised of measurements in the following categories
Effort
metrics measure the effort spent on security. For example training hours, time spent performing code reviews, and number of applications scanned for vulnerabilities.Result
metrics measure the results of security efforts. Examples include number of outstanding patches with security defects and number of security incidents involving application vulnerabilities.Environment
metrics measure the environment where security efforts take place. Examples include number of applications or lines of code as a measure of difficulty or complexity.
Each metric by itself is useful for a specific purpose, but a combination of two or three metrics together helps explain spikes in metrics trends. For example, a spike in a total number of vulnerabilities may be caused by the organization on-boarding several new applications that have not been previously exposed to the implemented application security mechanisms. Alternatively, an increase in the environment metrics without a corresponding increase in the effort or result could be an indicator of a mature and efficient security program.
While identifying metrics, it’s always recommended to stick to the metrics that meet several criteria
- Consistently Measured
- Inexpensive to gather
- Expressed as a cardinal number or a percentage
- Expressed as a unit of measure
Document metrics and include descriptions of best and most efficient methods for gathering data, as well as recommended methods for combining individual measures into meaningful metrics. For example, a number of applications and a total number of defects across all applications may not be useful by themselves but, when combined as a number of outstanding high-severity defects per application, they provide a more actionable metric.
Question
Do you use a set of metrics to measure the effectiveness and efficiency of the application security program across applications?
Quality criteria
You document each metric, including a description of the sources, measurement coverage, and guidance on how to use it to explain application security trends |
Metrics include measures of efforts, results, and the environment measurement categories |
Most of the metrics are frequently measured, easy or inexpensive to gather, and expressed as a cardinal number or a percentage |
Application security and development teams publish metrics |
Answers
No |
Yes, for one metrics category |
Yes, for two metrics categories |
Yes, for all three metrics categories |
Benefit
Transparency on your AppSec program’s performance
Activity
Once the organization has defined its application security metrics, collect enough information to establish realistic goals. Test identified metrics to ensure you can gather data consistently and efficiently over a short period. After the initial testing period, the organization should have enough information to commit to goals and objectives expressed through Key Performance Indicators (KPIs).
While several measurements are useful for monitoring the information security program and its effectiveness, KPIs are comprised of the most meaningful and effective metrics. Aim to remove volatility common in application development environments from KPIs to reduce chances of unfavorable numbers resulting from temporary or misleading individual measurements. Base KPIs on metrics considered valuable not only to Information Security professionals but also to individuals responsible for the overall success of the application, and organization’s leadership. View KPIs as definitive indicators of the success of the whole program and consider them actionable.
Fully document KPIs and distribute them to the teams contributing to the success of the program as well as organization’s leadership. Ideally, include a brief explanation of the information sources for each KPI and the meaning if the numbers are high or low. Include short and long-term goals, and ranges for unacceptable measurements requiring immediate intervention. Share action plans with application security and application development teams to ensure full transparency in understanding of the organization’s objectives and goals.
Question
Did you define Key Performance Indicators (KPI) from available application security metrics?
Quality criteria
You defined KPIs after gathering enough information to establish realistic objectives |
You developed KPIs with the buy-in from the leadership and teams responsible for application security |
KPIs are available to the application teams and include acceptability thresholds and guidance in case teams need to take action |
Success of the application security program is clearly visible based on defined KPIs |
Answers
No |
Yes, for some of the metrics |
Yes, for at least half of the metrics |
Yes, for most or all of the metrics |
Benefit
Continuous improvement of your program according to results
Activity
Define guidelines for influencing the Application Security program based on the KPIs and other application security metrics. These guidelines combine the maturity of the application development process and procedures with different metrics to make the program more efficient. The following examples show a relationship between measurements and ways of evolving and improving application security
- Focus on maturity of the development lifecycle makes the relative cost per defect lower by applying security proactively.
- Monitoring the balance between effort, result, and environment metrics improves the program’s efficiency and justifies additional automation and other methods for improving the overall application security baselines.
- Individual Security Practices could provide indicators of success or failure of individual application security initiatives.
- Effort metrics helps ensure application security work is directed at the more relevant and important technologies and disciplines.
When defining the overall metrics strategy, keep the end-goal in mind and define what decisions can be made as a result of changes in KPIs and metrics as soon as possible, to help guide development of metrics.
Question
Do you update the Application Security strategy and roadmap based on application security metrics and KPIs?
Quality criteria
You review KPIs at least yearly for their efficiency and effectiveness |
KPIs and application security metrics trigger most of the changes to the application security strategy |
Answers
No |
Yes, but review is ad-hoc |
Yes, we review it at regular times |
Yes, we review it at least annually |
Stream Guidance
- SAMM team guidance Google Doc
- Community guidance Google Doc
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.