Talent Ratings |
- The most important attributes of any security researcher are their skillset, experience, and performance
- You want a security researcher to:
- have skills that are matched to your application’s technology stack
- have many years of professional experience conducting security tests
- be highly rated by team members and clients on their past performance
|
New Issues Found |
- It's impossible to know if all of the security bugs have been discovered in a given pen test
- But an indicator that can be counted and tracked is the number of new high criticality issues which were found in the most recent test
- Metric: % = # new findings / # total findings in the most recent pentest
|
Vulnerability Types |
- By visualizing and analyzing how many instances of each vulnerability type have been found in a pentest, an organization can begin to strategically eliminate certain types of vulnerabilities by focusing prevention strategies on a particular category
- Metric: count the number of security defects of each vulnerability type
|
Findings Criticality |
- Some findings are more critical than others
- Metric: count the # of pentest findings at each level of criticality
|
Issues Fixed |
- Finding is great, but fixing is what actually improves application security
- An organization should track how many issues found in each pen test actually get fixed
- Metric: # security defects fixed / # security defects found
|