OWASP Developer Guide

Metrics

Developer Guide

10. Metrics

Metrics are important in an organization for various reasons, and in software security they can be used to:

  • measure the effectiveness of security controls
  • determine security posture
  • provide justification for security programs
  • and others

At present the OWASP Integration Standards project Application Wayfinder project does not identify any OWASP projects that gather or process metrics; this may change in the future.

Strategy and Metrics

The software security program is foundational to the strategic planning an organizations security posture. Metrics keep track of the security activities within the plan and provide the information for gap analysis.

The Software Assurance Maturity Model (SAMM) provides descriptions and definitions for the Strategy and Metrics business practices within the Governance business function. It provides two streams for achieving organizational maturity:

  • Create and Promote which concerns the risks identified within an organization and what level of risk is acceptable
  • Measure and Improve which describes monitoring the security strategy through metrics

The categories of metrics suggested by SAMM are :

  • Effort metrics: the effort spent on security
  • Result metrics: the results of security efforts
  • Environment metrics: the environment where security efforts take place

There are other metrics, perhaps specific to an individual organization, that can also be collected and acted on. The Security Culture project provides various examples of metrics that can be considered.


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

Sections: