Figures generated with Superset

Number of Initial Vulnerabilities
  • Before making any changes to your AppSec program, record the number of vulnerabilities currently in your applications (from SAST and manual testing)
  • This number will be your baseline to help you relay the progress of your program to all your stakeholders
Vulnerabilities by Category
  • Inform your AppSec team’s priorities based on the most common and impactful bug classes
  • Know where to investing in tooling and libraries to mitigate them
Rate of vulnerability creation
  • Can help detect issues with developer’s security knowledge, and you can take it to the next level by pinpointing specific vulnerabilities that come up over and over
  • This metric can be used both to show the security team and developers the most common issues, and can be used to influence material being taught to developers
  • If, for example, SQL injections or XSS appear time and time again, it may be useful to offer a (mandatory) workshop to teach developers how to better avoid and spot these vulnerabilities. 
Open Security Vulnerabilities by Priority
  • Measure improvement over time and raise the AppSec team’s visibility in your company, which can provide valuable social capital
Time to Detect Vulnerabilities
  • Measures how effectively your team is discovering vulnerabilities, measuring the time from when a vulnerability is created until it is detected
  • This metric can be used in all progress reports to show how your program has improved this number over time
Time to Fix by Team
  • Helps you hold dev teams accountable and know which teams need more 1:1 AppSec engineer support
Vulnerability Source => Resolution
  • Gives you insight into if scanners may need to be tuned and if your bug bounty program is healthy
Effective ratio
  • Measures how effective your resolution of vulnerabilities is by measuring the rate of vulnerabilities resolved to vulnerabilities reported
Number of vulnerabilities prevented from proactive activities
  • Use this metric to relate how many vulnerabilities the security team has detected through continuous security practices to prove your value to the C-suite and board
Compliance with industry regulations
  • This may be less of a metric and more of a checklist in many organizations
  • Compliance with industry regulations is a major business enabler, so make sure your board knows that your activities help keep the whole organization in compliance