Learn how to implement effective Key Performance Indicators (KPIs) for enterprise software security in this 58-minute conference talk from BSides Nashville 2014. Explore the importance of KPIs in measuring organizational success and progress towards long-term goals. Discover how to establish relevant security metrics, including implemented mandatory testing, static and dynamic analysis processes, and developer awareness. Examine the impact of security measures on release timelines and application uptime. Gain insights into integrating security testing early in development, providing fix templates, and implementing continuous security monitoring. Understand the value of mandatory peer code reviews, security sign-offs, and accountability measures. Apply these strategies to minimize injection defects and enhance overall software security in your enterprise.
Overview
Syllabus
Succeeding with Enterprise Software Security Key Performance Indicators
KPI = Key Performance Indicator
A key performance indicator (KPI) is a measure of performance, commonly used to help an organization define and evaluate how successful it is, typically in terms of making progress towards its long-term organizational goals.
Show relative distance to a goal
Establish relevance to org
Establish relevance to security
A: Implemented mandatory testing
Relative distance to goal Relevance to organization Relevance to security
Security items (examples) static analysis process dynamic analysis process integrating testing tools developer awareness
Impact of a security item to the release timeline
Security items (examples) integrating security testing early in development providing templates for 'fixes' defining pre-built code modules
Impact of a security item to the uptime of the application/service
Security items (examples) continuous security monitoring continuous/regular testing remediation of exploitable vulns
Security items (examples) mandatory peer review of code required stage-gates to production w/security sign*-off accountability by LOB VP
Minimize injection (A1) defects in new software releases
Follow the wh1t3rabbit.
