This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Day 4"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
 
*Measure and improve assessment service delivery.
 
*Measure and improve assessment service delivery.
  
 +
<span id="Measured Metrics"></span>
 
== Measured Metrics ==
 
== Measured Metrics ==
 
* Compare against industry metrics and interdepartmental metrics.
 
* Compare against industry metrics and interdepartmental metrics.

Revision as of 22:33, 5 January 2015

Key Activities =

  • Measure and improve assessment service delivery.

Measured Metrics

  • Compare against industry metrics and interdepartmental metrics.
  • Compare behaviors to measured metrics to identify which initiatives drive improvement of metrics and security program.

Metric Definition

Metric Definition
Number of Vulnerabilities The total count of vulnerabilities during the analysis period; valuable as a metric over time. Time Open This value represents the number of partial days since the vulnerability was opened as of the specific evaluation date. It only includes open vulnerabilities and not vulnerabilities that were closed. It is computed as the evaluation date less the open date for the vulnerability.
Time-to-Fix The Time-to-Fix is the number of partial days required to close a vulnerability. It is based on the vulnerabilities that were closed during the analysis period.
Remediation Rate The Remediation Rate is the ratio of the number of vulnerabilities closed over the number of vulnerabilities opened over a given period of time. A vulnerability is considered closed if it closed during the analysis period. A vulnerability is considered open if it was open at some time during the analysis period. Therefore, vulnerability could be counted as open and closed.
Vulnerability Class Likelihood Vulnerability Class Likelihood is the percentage of active applications that have at least one open vulnerability in a given vulnerability class over a given period of time. It is determined by counting the number of applications that have at least one open vulnerability in a given vulnerability class over the number of active applications.