Every few months, we see companies like Facebook and Google go in front of the Congress to answer questions like, "Have you ever had a data breach?"
If your stakeholders ask you this question today, what would you say?
As developers and engineers (I still don't get the difference), there are a lot of benefits on being data-driven. Perhaps we can use metrics to answer questions like, ”How secure are we today vs yesterday, last month or even last year?”
Here are just a few metrics I've seen people use to measure security:
- Number of resolved vs unresolved security risks
- Number of hosts running unpatched or outdated kernels
- Number of recalled or deprecated dependencies
- Number of detected vulnerabilities through manual or automated code review (ex: static code analysis)
I think having security metrics is one way we can raise the security bar for our team, company, and industry. It can help us drive actions to make our applications more secure in order to protect sensitive data and maintain our customers’ trust.
I understand that the security metrics you choose depends on the type of data or application you are trying to protect. For example, there is not a lot of value in measuring security for trying to protect access to data that is purposely made available to the public.
So given an application that handles sensitive data, what are some ways you would measure its security? What security metrics would you implement?