This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Application security metrics from the organization on down to the vulnerabilities

Jump to: navigation, search

The presentation

Chris Wysopal
Application security metrics are valuable today yet are still evolving. The best place to start is organizational metrics. CISOs and other security managers should be asking the questions: What applications do I have? What is the business criticality of those apps? What security analysis have been performed? Once those questions are answered the next level of metrics should be determined. What is the coverage of the different security techniques both in breadth and depth? What testing should I perform and how do I prioritize what to remediate and know when I am secure. This talk will present the data to collect and how to calculate metrics to measure and improve application security.

The speaker

Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. One of the original web vulnerability researchers with The L0pht and later @stake, Chris testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of "The Art of Software Security Testing", published in 2007 by Addison-Wesley. Recently Chris, along with experts from more than 30 cyber security organizations helped develop the SANS-CWE Top 25 Most Dangerous Programming Errors.