In AppSec programs when the subject of metrics comes up often the only metric collected is “number of vulnerabilities found” and only fixed if it is high. Problem is this ‘metric’ is misleading and doesn’t drive AppSec improvement. Then the question of how to collect metrics is raised and given the dismal state of AppSec scanning tools how does the AppSec leader know what their risk really is? What can they do to improve things? Join me as we go through the AppSec metrics to collect, how to use them and wrap up with thoughts on improving your AppSec program.
After completing this session, learner will: o) Have seven AppSec metrics they should be collecting o) See how to use these to improve their AppSec program o) Understand why the AppSec toolkit is incomplete o) Have some suggestions to fill in the gaps