Whether your organization is big or small, you need the right metrics to determine the effectiveness of your security, performance and overall operation. This is no less true when it comes to measuring the success of your DevSecOps approach than it is anything else. Getting developers to think like InfoSec professionals and vice versa is critical to successfully adopting DevSecOps, yet without proper proof points demonstrating the effort is bearing fruit, it is easy for organizations to lose focus.
Benefits of DevSecOps
Before defining a few metrics to use, let’s start by understanding some of what can be achieved through DevSecOps. Bringing development and security teams together is critical for staying secure in the cloud, and provides an opportunity to reduce the attack surface area by finding vulnerabilities during the application development process. However, that is just the tip of the iceberg.
By leveraging automation, your organization can apply security patches, provision servers and deploy applications at a faster pace. DevSecOps, as discussed in predictions for 2018, introduces security into the concept of continuous delivery, weaving it into the process of building, testing and releasing code changes. It also allows organizations to take actions such as relaunching server production environments to disrupt attacker dwell times.
Figuring out what challenges you would like DevSecOps to address within your organization is critical in determining what metrics to use. Once that has been determined, you can decide which metrics best help you measure how well you are dealing with those challenges.
In theory, the benefits of taking a DevSecOps approach are easy to explain. However, in practice, because of the pain involved in changing the way your organization has traditionally done things, it is important to use effective metrics to show how the changes are improving business operations. Here are a few metrics companies should consider implementing in 2018 to measure success:
- Point of Risk Per Device – This metric keeps track of the number of unpatched vulnerabilities per server. These vulnerabilities should be prioritized according to their criticality. Over time, the number of vulnerabilities should go down – particularly the ones that are critical and most exposed to attack from the internet.
- Number of Continuous Delivery Cycles Per Month – This is an important baseline metric to have so that you know how quickly you can deploy code changes in your production environment. Adopting a DevSecOps approach should increase the number of delivery cycles your organization can manage. Ideally, organizations should be able to handle a delivery cycle every two weeks if following the agile development cycle, but the more the merrier.
- Number of Software Defects Per Lines of Code – It is important to measure the amount of vulnerabilities discovered via static and dynamic security code analysis to see how effective your security practices are. Keep in mind that any short-term increase may be tied to more effective detection processes – in other words, the fact that you are getting better at detecting flaws before your custom code is moved to production.
- Percent of Policy adherence to CIS hardening standards on operating systems that support containers – The DevOps movement has spurred the popularity of containers, but while containers have clear advantages due to their size and efficiency, they also introduce a new set of security challenges that must be addressed. The Center for Internet Security has standards that can help organizations deal with some of these issues, and the percentage of compliance with these standards can be a useful tool to measuring how safe your environment is. If you apply 100% of the recommendations from CIS, your server will likely not work properly. However, if you are in the 90 to 95% range, you are doing very well.
This is by no means an exhaustive list, but these suggestions should get you started on deciding what metrics will be best for your business.