{"id":334,"date":"2009-11-13T10:35:08","date_gmt":"2009-11-13T15:35:08","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=334"},"modified":"2010-02-01T19:08:24","modified_gmt":"2010-02-02T00:08:24","slug":"application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/","title":{"rendered":"Application Security Metrics from the Organization on Down to the Vulnerabilities"},"content":{"rendered":"<p>This presentation was by Chris Wysopal, the CTO of Veracode.\u00a0 My notes are below:<\/p>\n<p>&#8220;To measure is to know.&#8221; &#8211; James Clerk Maxwell<\/p>\n<p>&#8220;Measurement motivates.&#8221; &#8211; John Kenneth Galbraith<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Metrics do Matter<\/strong><\/span><\/p>\n<ol>\n<li>Metrics quantify the otherwise unquantifiable<\/li>\n<li>Metrics can show trends and trends matter more than measurements do<\/li>\n<li>Metrics can show if we are doing a good job or bad job<\/li>\n<li>Metrics can show if you have no idea where you are<\/li>\n<li>Metrics establish where &#8220;You are here&#8221; really is<\/li>\n<li>Metrics build bridges to managers<\/li>\n<li>Metrics allow cross sectional comparisons<\/li>\n<li>Metrics set targets<\/li>\n<li>Metrics benchmark yourself against the opposition<\/li>\n<li>Metrics create curiosity<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Metrics Don&#8217;t Matter (Mike Rothman)<br \/>\n<\/strong><\/span><\/p>\n<ul>\n<li>It is too easy to count things for no purpose other than to count them<\/li>\n<li>You cannot measure security so stop<\/li>\n<li>This following is all that matters and you can&#8217;t map security metrics to them:\n<ul>\n<li>Maintenance of availability<\/li>\n<li>Preservation of wealth<\/li>\n<li>Limitation on corporate liability<\/li>\n<li>Compliance<\/li>\n<li>Shepherding the corporate brand<\/li>\n<\/ul>\n<\/li>\n<li>Cost of measurement not worth the benefit<\/li>\n<\/ul>\n<p>Bad metrics are worse than no metrics<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Security Metrics Can Drive Executive Decision Making<\/strong><\/span><\/p>\n<ul>\n<li>How secure am I?<\/li>\n<li>Am I better off than this time last year?<\/li>\n<li>Am I spending the right about of money?<\/li>\n<li>How do I compare to my peers?<\/li>\n<li>What risk transfer options to I have?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Goals of Application Security Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Provide quantifiable information to support enterprise risk management and risk-based decision making<\/li>\n<li>Articulate progress towards goals and objectives<\/li>\n<li>Provides a repeatable, quantifiable way to assess, compare, and track improvements in assurance<\/li>\n<li>Focus activities on risk mitigation in order of priority and exploitability<\/li>\n<li>Facilitate adoption and improvement of secure software design and development processes<\/li>\n<li>Provide and objective means of comparing and benchmarking projects, divisions, organizations, and vendor products<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Use Enumerations<\/strong><\/span><\/p>\n<ul>\n<li>Enumerations help identify specific software-related items that can be counted, aggregated, evaluated over time<\/li>\n<li>CVE &#8211; Common Vulnerabilities and Exposures<\/li>\n<li>CWE &#8211; Common Weakness Enumeration<\/li>\n<li>CAPEC &#8211; Common Attack Pattern Enumeration and Classification<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Organizational Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Percentage of application inventory developed with SDLC (which version of SDLC?)<\/li>\n<li>Business criticality of each application in inventory<\/li>\n<li>Percentage of application inventory tested for security (what level of testing?)<\/li>\n<li>Percentage of application inventory remediated and meeting assurance requirements<\/li>\n<li>Roll up of testing results<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Organizational Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Cost to fix defects at different points in the software lifecycle<\/li>\n<li>Cost of data breaches related to software vulnerabilities<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Testing Metrics<\/strong><\/span><\/p>\n<ul>\n<li>Number of threats identified in threat model<\/li>\n<li>Size of attack surface identified<\/li>\n<li>Percentage code coverage (static and dynamic)<\/li>\n<li>Coverage of defect categories (CWE)<\/li>\n<li>Coverage of attack pattern categories (CAPEC)<\/li>\n<\/ul>\n<p>SANS Top 25 Mapped to Application Security Methods (CWE, Title, Education?, Manual Process?, Tools?, Threat Model?)<\/p>\n<p>Weakness Class Prevalence based on 2008 CVE data (Mitre?)<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Basic Metrics: Defect Counts<\/strong><\/span><\/p>\n<ul>\n<li>Design and implementation defects\n<ul>\n<li>CWE identifier<\/li>\n<li>CVSS score<\/li>\n<li>Severity<\/li>\n<li>Likelihood of exploit<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Automated Code Analysis Techniques<\/strong><\/span><\/p>\n<ul>\n<li>Static Analysis (White Box Testing)<\/li>\n<li>Dynamic Analysis (Black Box Testing)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Manual Analysis<\/strong><\/span><\/p>\n<ul>\n<li>Manual Penetration Testing<\/li>\n<li>Manual Code Review<\/li>\n<li>Manual Design Review<\/li>\n<li>Threat Modeling<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>WASC Web Application Security Statistics Project 2008<\/strong><\/span><\/p>\n<ul>\n<li>Goals\n<ul>\n<li>Identify the prevalence and probability of different vulnerability classes<\/li>\n<li>Compare testing methodologies against what types of vulnerabilities they are likely to identify<\/li>\n<\/ul>\n<\/li>\n<li>Summary\n<ul>\n<li>12186 web applications with 97554 detected vulnerabilities<\/li>\n<li>More than 13% of all reviewed sites can be compromised completely automatically<\/li>\n<li>About 49% of web applications contain vulnerabilities of high risk level detected by scanning<\/li>\n<li>Manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with the probability up to 80-96%<\/li>\n<li>99% of web applications are not compliant with PCI DSS standard<\/li>\n<\/ul>\n<\/li>\n<li>Compare to 2007 WASC Project\n<ul>\n<li>Number of sites with SQL Injection fell by 13%<\/li>\n<li>Number of sites with Cross-site Scripting fell 20%<\/li>\n<li>Number of sites with different types of Information Leakage rose by 24%<\/li>\n<li>Probability to compromise a host automatically rose from 7 to 13%<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Chris Wysopal, the CTO of Veracode.\u00a0 My notes are below: &#8220;To measure is to know.&#8221; &#8211; James Clerk Maxwell &#8220;Measurement motivates.&#8221; &#8211; John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[343,307],"tags":[76,148,310,344,622,10],"class_list":["post-334","post","type-post","status-publish","format-standard","hentry","category-metrics-security","category-owasp-appsec-dc-2009","tag-application","tag-attack","tag-metrics","tag-probability","tag-security","tag-vulnerability"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.10 - aioseo.com -->\n\t<meta name=\"description\" content=\"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: &quot;To measure is to know.&quot; - James Clerk Maxwell &quot;Measurement motivates.&quot; - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Josh\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.10\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Web Admin Blog | Real Web Admins.  Real World Experience.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog\" \/>\n\t\t<meta property=\"og:description\" content=\"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: &quot;To measure is to know.&quot; - James Clerk Maxwell &quot;Measurement motivates.&quot; - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2009-11-13T15:35:08+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2010-02-02T00:08:24+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog\" \/>\n\t\t<meta name=\"twitter:description\" content=\"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: &quot;To measure is to know.&quot; - James Clerk Maxwell &quot;Measurement motivates.&quot; - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#article\",\"name\":\"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog\",\"headline\":\"Application Security Metrics from the Organization on Down to the Vulnerabilities\",\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"},\"datePublished\":\"2009-11-13T10:35:08-06:00\",\"dateModified\":\"2010-02-01T19:08:24-06:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#webpage\"},\"articleSection\":\"Metrics, OWASP AppSec DC 2009, application, attack, metrics, probability, Security, vulnerability\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.webadminblog.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"name\":\"Conferences\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"position\":2,\"name\":\"Conferences\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/owasp-appsec-dc-2009\\\/#listItem\",\"name\":\"OWASP AppSec DC 2009\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/owasp-appsec-dc-2009\\\/#listItem\",\"position\":3,\"name\":\"OWASP AppSec DC 2009\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/owasp-appsec-dc-2009\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#listItem\",\"name\":\"Application Security Metrics from the Organization on Down to the Vulnerabilities\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"name\":\"Conferences\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#listItem\",\"position\":4,\"name\":\"Application Security Metrics from the Organization on Down to the Vulnerabilities\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/owasp-appsec-dc-2009\\\/#listItem\",\"name\":\"OWASP AppSec DC 2009\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/\",\"name\":\"Josh\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg\",\"width\":96,\"height\":96,\"caption\":\"Josh\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#webpage\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/\",\"name\":\"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog\",\"description\":\"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: \\\"To measure is to know.\\\" - James Clerk Maxwell \\\"Measurement motivates.\\\" - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/13\\\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"datePublished\":\"2009-11-13T10:35:08-06:00\",\"dateModified\":\"2010-02-01T19:08:24-06:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog","description":"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: \"To measure is to know.\" - James Clerk Maxwell \"Measurement motivates.\" - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing","canonical_url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#article","name":"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog","headline":"Application Security Metrics from the Organization on Down to the Vulnerabilities","author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"},"datePublished":"2009-11-13T10:35:08-06:00","dateModified":"2010-02-01T19:08:24-06:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#webpage"},"isPartOf":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#webpage"},"articleSection":"Metrics, OWASP AppSec DC 2009, application, attack, metrics, probability, Security, vulnerability"},{"@type":"BreadcrumbList","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","position":1,"name":"Home","item":"https:\/\/www.webadminblog.com","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","name":"Conferences"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","position":2,"name":"Conferences","item":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/#listItem","name":"OWASP AppSec DC 2009"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/#listItem","position":3,"name":"OWASP AppSec DC 2009","item":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#listItem","name":"Application Security Metrics from the Organization on Down to the Vulnerabilities"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","name":"Conferences"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#listItem","position":4,"name":"Application Security Metrics from the Organization on Down to the Vulnerabilities","previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/#listItem","name":"OWASP AppSec DC 2009"}}]},{"@type":"Organization","@id":"https:\/\/www.webadminblog.com\/#organization","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","url":"https:\/\/www.webadminblog.com\/"},{"@type":"Person","@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author","url":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/","name":"Josh","image":{"@type":"ImageObject","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg","width":96,"height":96,"caption":"Josh"}},{"@type":"WebPage","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#webpage","url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/","name":"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog","description":"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: \"To measure is to know.\" - James Clerk Maxwell \"Measurement motivates.\" - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/www.webadminblog.com\/#website"},"breadcrumb":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/#breadcrumblist"},"author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"creator":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"datePublished":"2009-11-13T10:35:08-06:00","dateModified":"2010-02-01T19:08:24-06:00"},{"@type":"WebSite","@id":"https:\/\/www.webadminblog.com\/#website","url":"https:\/\/www.webadminblog.com\/","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","inLanguage":"en-US","publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"}}]},"og:locale":"en_US","og:site_name":"Web Admin Blog | Real Web Admins.  Real World Experience.","og:type":"article","og:title":"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog","og:description":"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: &quot;To measure is to know.&quot; - James Clerk Maxwell &quot;Measurement motivates.&quot; - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing","og:url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/","article:published_time":"2009-11-13T15:35:08+00:00","article:modified_time":"2010-02-02T00:08:24+00:00","twitter:card":"summary_large_image","twitter:title":"Application Security Metrics from the Organization on Down to the Vulnerabilities | Web Admin Blog","twitter:description":"This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: &quot;To measure is to know.&quot; - James Clerk Maxwell &quot;Measurement motivates.&quot; - John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing"},"aioseo_meta_data":{"post_id":"334","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2025-01-03 22:47:32","updated":"2025-07-17 07:15:29","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/\" title=\"Conferences\">Conferences<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/\" title=\"OWASP AppSec DC 2009\">OWASP AppSec DC 2009<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tApplication Security Metrics from the Organization on Down to the Vulnerabilities\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/www.webadminblog.com"},{"label":"Conferences","link":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/"},{"label":"OWASP AppSec DC 2009","link":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/owasp-appsec-dc-2009\/"},{"label":"Application Security Metrics from the Organization on Down to the Vulnerabilities","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/13\/application-security-metrics-from-the-organization-on-down-to-the-vulnerabilities\/"}],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-5o","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=334"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334\/revisions"}],"predecessor-version":[{"id":379,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/334\/revisions\/379"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}