CypherCon 2024

Metrics, metrics everywhere – which ones should I be scared of?

Srdan Reljic

Abstract:

The rapidly evolving landscape of application security (Appsec) necessitates the implementation of effective metrics to gauge the effectiveness of security measures. However, the abundance of available metrics can overwhelm organizations, making it crucial to identify the metrics that truly matter and those that should instill concern. This session will explore the realm of Appsec metrics and guide attendees on distinguishing between valuable and potentially alarming indicators. Drawing upon industry best practices and real-world examples, participants will gain insights into selecting metrics that align with their organization’s security goals and risk appetite, aiming to raise the AppSec maturity of the organization. The session will delve into the various categories of Appsec metrics, including vulnerability density, time to remediation, and exploitability. By examining these metrics in-depth, participants will learn to discern whether specific metrics reflect healthy security practices or signal potential vulnerabilities that demand immediate attention. The session will also address the challenges of interpreting and contextualizing Appsec metrics. Attendees will acquire the understanding and will get a review of some tools necessary to communicate security metrics to stakeholders effectively, facilitating informed decision-making and fostering a proactive security culture within their organizations. The goal of his session is to empower attendees to navigate the ocean of Appsec metrics, enabling them to identify metrics that warrant concern, prioritize remediation efforts, and drive continuous improvement in their organization’s application security posture.

Srdan Reljic

AppSec Metrics!

Srdan Reljic is an accomplished technology executive and a cyber security practitioner with a knack for driving innovation and creating strategic value. He also has extensive hands-on experience in applying cloud native and open source technology to infuse security at every level. His interests lie in secure developer enablement, platform and data engineering, and generative AI and web3 security.