CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Answer the Unanswerable with AppSec Metrics & Get Management Buy-In - CodeSecDays

Without metrics, it's difficult to determine how long it took to fix critical vulnerabilities in the last quarter. Manual tracking is challenging, but automation can unlock the power of AppSec metrics for a measurable program.

Video Transcript

and hello everyone my name is Jane calpacola I'm the co-founder and CEO at conductor and today I'm going to discuss in this position I'm going to discuss how we can effectively use application secret metrics to get the management point or the support from upper managers or even the other stakeholders so as an application security leader one of the most significant challenges that you might face is is securing can management support obviously besides ensuring and help secure your applications are usual this lack of support often results in under resource security teams feel frustrated and unable to make a meaningful impact building a compelling narrative around those metrics and the alignment with the organization goals can greet the facilitate the management support um and for success for all security program and even if you have the right metrics and getting those supports could be a challenge so I'm trying to discover and discuss how we can use some metrics and how we can effectively communicate those metrics to the support we need because security is a teamwork so um let me briefly introduce myself um as I mentioned my name is Jane caltakolo I'm the co-founder and see at conductor uh conductism modern application sector orchestration and posture management platform and drink our time at conjuncture we had opportunity to work with different uh organizations in all over the world and while working with different teams different business needs we have seen a common pattern and while the application Security Programs are are struggling and that's why we gather some data and with this opportunity we would like to discuss which metrics might be give you a better Advantage A Helping Hands to increase the effectiveness of our program so yeah let's talk so obviously obviously first I'm going to start which application secret metrics matter from that context actually our business context and our business needs should change the approach that we take while building a security program you usually the thread modeling stage is where we decide those those approaches but regards this to our business context having metrics will definitely help us with those following items and the first one is the major progress right metrics um should give the direction or should show the direction of our security program Effectiveness and and and that's why we understand of what we need how we need and verminate and and I think the the most important item while building second program is or metrics is is the able to identify the bottlenecks data we have we can identify which part of our security program is failing or struggling which resources is needed where the extra resources needed and we will discuss how we can find those bottlenecks on right now we are struggling actually this security is getting more and more complex and and security news are always working under step environment and we need to deal lots of noises lots of data so but the advantage of this approach is we have lots of lots of data and by having by analyzing those data we can actually create a data driven decisions and this could help us to identify or create better decision-making processes and finally finally building trust is an important aspect uh to create to secure the program since we have the data we can show we can share with the other stakeholders which part of our ecosystem is is having issues and getting good results and showing those trustworthy data we can share uh the the needs within the organizations so and and um actually while preparing for this presentation I prepared a couple important metrics that we have seen in while working with big Enterprises uh first I will discuss four important metrics with you but after after discussing those import metrics I put a couple more metrics uh within the sake of this uh event uh actually those items are all we just discussed in the round table as well so I'm going to um discuss together with you with some of the items that uh you just you just watch on the previously um so first I'm going to discuss uh the trigash percentage with you what what this triage percentage means and why this triage percentage keeping track of the three years percentage of each month could help us uh we we have seen that this metric is particularly important to figure out bottlenecks on our security program and it help us to decrease the backlog that we have which is the common struggle that we see all security teams are having regardless of their business context the second metrics that I'm going to discuss is the missed slas activity keep track of slas are the most common metric that we have seen and everybody is actually trying to do good job uh with the keep tracking those slas but the funny part of slas are not everyone is calculating slas similarly so each organization may have select different approaches and we will discuss how we can keep track of those slas even if we have different approach um in the third uh part afterwards I will share the woman of the burn down chart and why it's a great metric to understand the efficiency how our team is doing well and and I'm sure this is also the one of the most common uh Magic that you you see on your on your system as well and finally I will discuss remediation metrics um what I'm in remediation Matrix is also very related with slas because uh the the calculation of slas is also reflex or remediation approaches as well and after those one I have few more uh metrics that I will discuss and I will show the first one is the triage percentage this metric as I mentioned this metric is particularly important for us to identify the potential that next in our curiage process because you may have uh bottlenecks in different part of our organizations different part of our application security program but uh one of the most common struggle in the application security program is the increasing backlog so let's let's consider this let's consider the scenario if you only able to triage 10 percent of new memorabilities each month this means that 90 percent of the report vulnerabilities are not being assessed as a real threat and if you keep doing that you will have an increased huge backlog which either will create an uh problem on your application security program it will create an issue on your team or alternatively if you force your developers to solve those vulnerabilities again this is going to be a problem um with your security teams and development teams we have discussed that the security is a teamwork and security teams should be enabler in this in this process however if you bump your developers with huge backlog then this is going to be an uh problem uh for for everyone so that's why that's why um keeping track of how many vulnerabilities are getting to react and how many are not getting triaged can help you understand which part of your software development life cycle um is is failing or security program is failing and you can also prioritize what how what kind of runner-ups this which category is on your secretary program and this is this is going to be a huge huge Advantage so as you can see in this presentation this is the usually breakdown usually teams are tend to solve the critical vulnerabilities first but again this drill down can can make you understand better decision making better approaches maybe new automations on your security tooling maybe the the all overall program itself the second one the second metric that I want to discuss is you will never burn down the chart oral vulnerability helps us understand how many true possible parties are getting introduced versus how many of them I'm getting close uh again usually security teams tend to show those metrics regardless regardless to um constantly closed vulnerabilities or even issued vulnerabilities we know that right now the secure to ensure a good security practice we need to use multiple Solutions and multiple Solutions will create multiple noise multiple uh multiple items multiple findings and we know that this process requires lots of lots of um work on it because they have many false positive vulnerabilities but having this burn down chart can helps us to understand uh what kind of vulnerabilities are getting uh closed and why are getting close if you think keep track of them is even good and you can if you can filter those graph you can also understand or you can set policies what kind of vulnerability should be closed first as well so that's why women burn charts is usually great charge to understand how well our security team is doing and how our Direction basically our Direction I tend to consider this vulnerability breakdown chart as the compass on my secretary security program the third metric that I want to discuss is the most common metric that I've seen in the successful teams is the keep track of SLS the calculation of SLS is slightly different from from each teams or maybe the it can change by because of the maturity of your organizations but keeping track of slas is important because you provided grace period for your team and for your developers to I mean grace period to to understand the to follow full of those processes depending on how the Restless calculate organizations a deteriorated metric and version metric can be sign up in need of extra resources on your triage over your remediation stage if you if you want to solve those on your remediation stage you may have different approach maybe you went you can speak with your development teams to assign a security champion this could be an option maybe you can create a policy for certain type of vulnerable listen you can try to solve those vulnerabilities on on your PRS on Mrs so meaning that the SLA keep tracking of slas is going to be a good approach and it can give us a map uh where or how those vulnerables should be should be uh should be sold but but this is tricky because for some organizations SLA starts when the volupts has been identified or reported or and in the meantime for some organizations the SLA starts when the developers are started to work on it and if you don't have a bidirectional um mechanism be directional grab with your issue managers this could be hard to understand and this is where we go in the in the remediation Matrix foreign usually I mean we recently see that the security teams tend to keep the track of the remediation efforts um and what we have done is that by integrating uh the data by getting data by feeding our system with the issue managers the the effort of the developers can be also traced and we can have a very good understanding when the remediation start and we can drill down in two different subcategories the first one is first time response if you are agile organizations the first time to response could also be this starting point of your SLS because this is the this is the the time that we know the the vulnerability the second one the second approach could be the first time to action first time section means that when the developer starts to work on that particular vulnerabilities again having the drill down of those metrics uh can give you an understanding which vulnerabilities are tend to close more uh from the developer perspective I particularly keep track of like like this metric to keep track of the developer understanding because this also give us the overall security maturity of the Developers because developers tend to solve easy or more common vulnerabilities and regardless the severity so so that's why maybe you can adjust or fine tune your Automation and maybe you can you can address the critical vulnerabilities first instead of sending all the issues that your tools identify and finally the time to resolution can give you a very good rough time timeline um about a vulnerability life cycle what I mean is that if you know a time to resolution or rough timing of your of any vulnerability you can understand that how many days of delays your security Force creates and you can even monetize or assign monetary values to understand the the security issues creates on your development posture um so that's why the remediation keeps track of remediation efforts is super important approach to to taking the other security metrics that I want to discuss clearly is all about the false sense of security we have seen that most of the time security teams may not aware all the projects or all the applications in in our organizations so that's why they don't know if they don't know the coverage they don't really know how secure their organizations are so that's why keeping track of the the coverage and even the period of the development period of that particular applications can give in very good understanding about uh about about all those items and the Automation and it is very easy to solve these problems the automation actually is the answer to solve the testing coverage if you can automate the coverage process you know you don't miss anything basically uh by the way this is one of the common uh items that we see in this aspect the third the next uh item actually this is also discussed during the round table the the help of the developers they don't receive any cyber security training or application secretary training at all and giving them a just a little bit security training um will increase your uh posture um dramatically gamification is one of the key aspects of the interactive secure training program try to achieve this but if you can't have a developer level or Team level data and if you can know if you know beat what kind of vulnerabilities are usually introduced into system in which teams you can assign those people relevant vulnerabilities which increase the awareness of those those teams because frankly assigning in SQL injection kind of manipulation in your developer may not increase their Awareness on the other end if you assign a more advanced in real vulnerable to that particular developer do uh will have different response for sure and finally finally oops and finally I want to discuss the customization um I I believe that the generative AI uh will will solve this customization in the near future but having it customizable uh platform around your metrics uh can can give you an extra power because accordingly since the security may vary because of the business context disabled to customize the output maybe the visualization maybe the dashboard and everything will give you an extra power and because you don't really know you may not know what kind of hidden information might be useful for some teams or for for some organizations um how to how to use those metrics to to increase the awareness or to increase to engage the leadership again um I try to um reduce this number into four pillars the first one of visualization of data the data and dashboards are form of communication and if you can can visualize the data in an easy manner in an understandable manner this this will increase the awareness of that organizations dramatically so that's why data visualization or bi tools is super important to increase the the awareness the management buying from that upper management um the second one is identifying the key Matrix again because of or according to your business metrics or business needs uh your approach should should be slightly different than the other one but if you know the Baseline if you know the key metrics and you can build your program over that and this is usually our approach as well and it's also my personal approach uh I usually start with the most important key metric of the organization and try to increase my coverage uh using Automation and orchestration capabilities and this is how we set up in distribute or security approach within the organizations um I I mentioned this before but the collaboration is super important in the security because the application security uh security Engineers we need to enable this process with the developers we need we need developer support the developers should be a part of the security program however if you approach developers as a blocker regard instead of enablers then the friction of the increase and this is not going to be a good approach for both of the parties so that's why uh security we believe that security teamwork and as you communicate regularly with other stakeholders uh the the you can find your way in your application security program and you can increase the overall second posture for within the organization and finally um if you can demonstrate the ROI uh it's it's already um if you can calculate the risk and if you can assign and monetary value it is possible to show the ROI and you can use your data your metrics to show this or what the vulnerable to burn sharp the remediation metrics and everything can be utilized from from that manner so so so you try to create a manage the threat to assign a manager monetary value for each vulnerabilities and for development report and if you can calculate those you know that how much time you spend to fix a particular vulnerability and if you can reduce this number this is I mean um so long story short what we can do is that uh those are the key tables the first first item that I suggest to everyone is able to calculate risk um risk is because organizations they don't care for foreign applications product maybe the organizations business Etc so so that's why the calculation risk is one of the most important aspect of our successful application sector program which you can use this to get support from other stakeholders um we are living in a data driven world um having to roll data having the metrics and everything should be used to increase better decision making processes again Automation in the new computing power should be used at but we strongly believe that you should use metrics uh to to fine-tune your flows and this is how we can get the support because once you show something everyone will once you show something many once you prove that there was a flow on this system you can get the support that you need not for from your management but from other stakeholders as well and finally building trust is one of the maybe the most important aspect of to to get the support for your applications in your program [Music] DD list performing Security Programs or bad sacred programs shows us that default security teams they they just then they lose their trust it is getting hard for them for all the other teams to try to build that trust again so as a security engineer use your dashboards your metrics to increase to get the trust from other other uh other stakeholders and that's actually it if you have any questions you can always reach out to us you can always find non LinkedIn attributor or even email us and thank you for requiring for this wonderful event um I hope I can help with to build a better signature program for you all