You are absolutely right! The point of measuring these types of metrics is to guide your improvement and make sure that you are going in the right direction. Perhaps a better metric would be the time to resolution.
I really like the idea of time to resolution. If your teams can't make maintainable well tested code, they likely aren't making secure code. If they can manage tech debt (and then you manage security flaws as heavy teach debt) then you are in a better position to improve security practices.
You can help them out with tools like SAST, DAST, IAST and code quality tools, but they still rely on your team's having competency to fix issues when they are detected and to get those fixes into production.
I agree. I remember reading a paper about a study showing a corellation between the number of bugs and security vulnerabilities found in software (I'll link it here is I find it). Insisting in higher standards when it comes to code quality is definitely a step towards a more secure system.
Thanks for the tools! I'll use these as a reference.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You are absolutely right! The point of measuring these types of metrics is to guide your improvement and make sure that you are going in the right direction. Perhaps a better metric would be the time to resolution.
I really like the idea of time to resolution. If your teams can't make maintainable well tested code, they likely aren't making secure code. If they can manage tech debt (and then you manage security flaws as heavy teach debt) then you are in a better position to improve security practices.
You can help them out with tools like SAST, DAST, IAST and code quality tools, but they still rely on your team's having competency to fix issues when they are detected and to get those fixes into production.
I agree. I remember reading a paper about a study showing a corellation between the number of bugs and security vulnerabilities found in software (I'll link it here is I find it). Insisting in higher standards when it comes to code quality is definitely a step towards a more secure system.
Thanks for the tools! I'll use these as a reference.