| Track: | DevSecOps |
|---|---|
| When: | Wed PM-1 |
| Where: | Maulden |
| Organizers | Imran Mohammed A Imran Mohammed A |
| Participants | Francois Raynaud Francois Raynaud , Timo Pagel Timo Pagel , Jim Newman Jim Newman , Abhinav Sejpal Abhinav Sejpal , Avi Douglen Avi Douglen , Dominik de Smit Dominik de Smit , Jannik Hollenbach Jannik Hollenbach , Pedro Laguna Pedro Laguna , Peter Turczak Peter Turczak , Sotiraki Sima Sotiraki Sima , Yasmin Martin Yasmin Martin |
| Remote Participants | Ernesto Bethencourt Ernesto Bethencourt , Harmeet Singh Harmeet Singh , Pascal Schulz Pascal Schulz , Paul Cutting Paul Cutting , Sophie Tonnoir Sophie Tonnoir , Subash Subash , Sugumaran Uppili Sugumaran Uppili , Vinod Anandan Vinod Anandan |
Why
You can’t improve what you don’t measure. Its important to measure the activities as part of SDL and drive future improvements to the application security program. Metrics show business value to stakeholders and help drive further investments in the program. Metrics also help in figuring out whats working and whats not.
Metrics used should be meaningful and not there for the sake of just metrics (metric fatigue?).
What
The goal of this User Session is to find ways to create meaningful metrics and dashboards for AppSec Professionals like Mean Time To Remediate, Mean Time To Find etc.,
This session also works what metrics are effective and meaningful. What can you do to get started and different challenges, you might come across.
Content
- What is the difference between metrics and measurement.
- How to get started and different challenges.
- What are the best practices for using tools like ELK or prometheus?
- How to visualise the data collected in actionable/meaningful graphs.
- Learning curve of tools like graphviz, dot format, etc.,
Outcomes
This Working Session will publish:
- A list of meaningful metrics to measure application security program
- A guide on how to calculate them using open source tools.
Who
The target audience for this Working Session is:
- Developers
- Security professionals
- DevSecOps
- Security champions
References
- https://medium.com/@smnbss/how-we-use-activity-oriented-metrics-6d85c6f9d400
- https://www.owasp.org/index.php/CISO_AppSec_Guide:_Metrics_For_Managing_Risks_%26_Application_Security_Investments https://www.owasp.org/images/7/77/Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf
- https://www.veracode.com/sites/default/files/Resources/Whitepapers/using-metrics-to-manage-your-application-security-program-sans-veracode.pdf
- https://www.csoonline.com/article/2123361/metrics-budgets/security-metrics--critical-issues.html
Register as participant
To register as participant add Creating Appsec metrics and visualisation to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all User Sessions