Many firms present metrics in a vastly oversimplified way, calculating too few measurements to share. Many other firms barrage the audience with a variety of highly detailed metrics. This often overwhelms the reader. Both approaches are weak. If you want to share key software security metrics, it’s critical to focus on the impact that the metrics will have on your audience.
The fact is that all sorts of groups have interest in discussing your security metrics. Executives within your firm, regulators in your industry, and your customers will all be looking to understand what you’re doing and how it’s working.
Within this presentation, Caroline Wong explores risk management and the effectiveness of software security metrics in her 2016 OWASP AppSec California presentation. Her recorded presentation explores: