AIS-03: Application Security Metrics

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.

Implementation Guidance

Actionable metrics should be defined with consideration to business goals, the criticality of service, security requirements, and compliance obligations. Example technical metrics include:

  • Count or percentage of vulnerabilities by weakness.
  • Count or percentage of vulnerabilities by severity.
  • Count or percentage of vulnerabilities by detection source (design review, code review, SAST, DAST, penetration test, VDP, or bug bounty).
  • Count or percentage of vulnerabilities by environment detected (pre-production vs. production).
  • Average time to resolution.
  • Count exceeding remediation service level objectives (SLOs).

Example operational metrics include:

  • Count or percentage of applications using automated security testing by test type (SAST, DAST, SCA).
  • Count or percentage of applications have completed penetration testing in the last ā€œnā€ months.
  • Count or percentage of development teams or individuals who have completed application security training in the last ā€œnā€ months.
  • Count of proactive engagements by development and business teams.
  • Results from surveys delivered to application security customers, such as business and development teams.

Reporting: Reporting should be designed with various users in mind. For example, security professionals, engineering teams, business stakeholders, and executives will often have different interests requiring specialized views, filtering, and delivery mechanisms.

  1. The collection, visualization, and distribution of reporting data should be automated.
  2. Data may be further analyzed using application criticality, business units, platforms, languages, and other factors relevant to the viewer.
  3. Compare actual metrics to standards to evaluate performance.
  4. Enable comparisons over time to identify trends.
  5. Enable correlations, such as relating a reduction in vulnerabilities of a specific type after new tools or training.

Auditing Guidance

  1. Examine policy and procedures for definition of operational metrics, security, and compliance requirements.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.