Software Security Controls: Metrics Automation

In the white paper “Software Security Controls – Metrics Automation”, members of the National Defense Information Sharing and Analysis Center (ND-ISAC) complements the earlier series on Software Security Automation. This paper provides a roadmap to use the scan results provided by the security controls implemented in the Software Development Lifecycle (SDLC). This roadmap will help identify threat vectors in code, vulnerable components, and malicious behaviors, and guidance on how developers, managers, and executive leadership can use these metrics to improve the security posture of the organization.

Metrics allow an organization to measure what is or is not working about a process, helping  distinct decision-making roles. The different entities involved in security vulnerabilities detection, remediation, and compliance interpret these metrics depending on their specific role’s goals.

In the paper, the authors propose a process that will enable the organization to be effective in the implementation of a metrics program for application security.

This processes have the following steps:

  1. Define metrics that can be extracted or inferred from the security controls implemented in an SDLC and the distinct roles that will consume those metrics. The importance of each metric per role is explained and what are the proper actions to be performed.
  2. Describe how to organize and store the required information, defining the components of a data warehouse, and the layout of the database schema.
  3. Data collection process. The organization needs to understand where the data is, which mappings are needed, how the data collection will be executed, and what validations should be performed to ensure data integrity.
  4. Define the visualization tools needed and how to use them to present the data in a meaningful way for distinct roles.

The audience for this white paper includes security engineers, lead software engineers, product managers, senior managers, and executives responsible for the selection, implementation, and integration of software security automation tools in the organization.

ND-ISAC members can participate in an upcoming webinar on 26 OCT 2021 where the authors will discuss the white paper.

Download the White Paper here: