Honestly, it's so hard to say. You can't even measure your system's security by the number of vulnerabilities pentesters find (the most obvious metric!) because all this comments on is the skill of your pentest team. A terrible, insecure site could find 0 vulns with a bad red team, while large companies find numerous issues every week because they have an amazing security team.
If you hire competent pentesters, and they find no issues, perhaps you can say your site is secure. But how do you know the penstesters are competent?
This issue gets worse when you consider that hackers are constantly learning, just as we are. So a site that's secure today might be a disaster tomorrow.
You are absolutely right! The point of measuring these types of metrics is to guide your improvement and make sure that you are going in the right direction. Perhaps a better metric would be the time to resolution.
I really like the idea of time to resolution. If your teams can't make maintainable well tested code, they likely aren't making secure code. If they can manage tech debt (and then you manage security flaws as heavy teach debt) then you are in a better position to improve security practices.
You can help them out with tools like SAST, DAST, IAST and code quality tools, but they still rely on your team's having competency to fix issues when they are detected and to get those fixes into production.
I agree. I remember reading a paper about a study showing a corellation between the number of bugs and security vulnerabilities found in software (I'll link it here is I find it). Insisting in higher standards when it comes to code quality is definitely a step towards a more secure system.
Thanks for the tools! I'll use these as a reference.
You can try to benchmark your system vs known good processes. For example, are you doing x,y,z things in a standard checklist? But find comparisons to "secure" systems might be a good place to start. Why are the considered secure?
For more explicitly "testing the tester" check out this page, and the Youden index, as well. Maybe you could run the benchmark app through your security process to see how things pan out: owasp.org/index.php/Benchmark
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Honestly, it's so hard to say. You can't even measure your system's security by the number of vulnerabilities pentesters find (the most obvious metric!) because all this comments on is the skill of your pentest team. A terrible, insecure site could find 0 vulns with a bad red team, while large companies find numerous issues every week because they have an amazing security team.
If you hire competent pentesters, and they find no issues, perhaps you can say your site is secure. But how do you know the penstesters are competent?
This issue gets worse when you consider that hackers are constantly learning, just as we are. So a site that's secure today might be a disaster tomorrow.
You are absolutely right! The point of measuring these types of metrics is to guide your improvement and make sure that you are going in the right direction. Perhaps a better metric would be the time to resolution.
I really like the idea of time to resolution. If your teams can't make maintainable well tested code, they likely aren't making secure code. If they can manage tech debt (and then you manage security flaws as heavy teach debt) then you are in a better position to improve security practices.
You can help them out with tools like SAST, DAST, IAST and code quality tools, but they still rely on your team's having competency to fix issues when they are detected and to get those fixes into production.
I agree. I remember reading a paper about a study showing a corellation between the number of bugs and security vulnerabilities found in software (I'll link it here is I find it). Insisting in higher standards when it comes to code quality is definitely a step towards a more secure system.
Thanks for the tools! I'll use these as a reference.
You can try to benchmark your system vs known good processes. For example, are you doing x,y,z things in a standard checklist? But find comparisons to "secure" systems might be a good place to start. Why are the considered secure?
For more explicitly "testing the tester" check out this page, and the Youden index, as well. Maybe you could run the benchmark app through your security process to see how things pan out: owasp.org/index.php/Benchmark