DEV Community

Discussion on: How do you measure security? Security Metrics

Collapse
brburzon profile image
Brandon Burzon Author

You are absolutely right! The point of measuring these types of metrics is to guide your improvement and make sure that you are going in the right direction. Perhaps a better metric would be the time to resolution.

Collapse
sturzl profile image
Avery

I really like the idea of time to resolution. If your teams can't make maintainable well tested code, they likely aren't making secure code. If they can manage tech debt (and then you manage security flaws as heavy teach debt) then you are in a better position to improve security practices.

You can help them out with tools like SAST, DAST, IAST and code quality tools, but they still rely on your team's having competency to fix issues when they are detected and to get those fixes into production.

Thread Thread
brburzon profile image
Brandon Burzon Author

I agree. I remember reading a paper about a study showing a corellation between the number of bugs and security vulnerabilities found in software (I'll link it here is I find it). Insisting in higher standards when it comes to code quality is definitely a step towards a more secure system.

Thanks for the tools! I'll use these as a reference.