Overview
Explore effective software security metrics in this 50-minute conference talk from AppSec California 2016. Learn techniques to change conversations with executives about software security, encouraging them to ask the right questions and receive answers demonstrating progress towards meaningful objectives. Discover a progression of software security capabilities and corresponding metrics for different maturity levels. Gain insights on developing key metrics for your unique software security program through a detailed example. Delve into topics such as risk management objectives, measurement vs. metrics, phases of metrics, defects, risk tolerance, and coverage. Benefit from Caroline Wong's expertise as a thought leader in security strategy, operations, and metrics, drawing from her experience at companies like Cigital, Symantec, Zynga, and eBay.
Syllabus
Intro
Agenda
Questions from executives
Why Metrics
Risk Management Objectives
Measurement vs Metric
Phases of Metrics
Defects
Bad Scenarios
Vanity Metrics
Metrics Without Context
Metrics With Executives
Risk Management
Policy Standards Outreach
Software Environment
Software Security Capabilities
Risk Tolerance
Coverage
Taught by
OWASP Foundation