How to Make Your Vulnerability Management Metrics Count

Everyone in a software development organization, from the head honchos to the last member of the security and dev teams, are investing more and more resources in their vulnerability management programs.

According to Gartner’s forecast for 2018, this is the year enterprise security spending will break records, rising 8% compared to 2017 and reaching a whopping $96 billion. But how do they know if they’re getting more bang for their buck? The answer can only be found by crunching the numbers.

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

Organizations must have solid vulnerability management metrics in place to make sure they are investing their security resources wisely, and can make adjustments accordingly.

Choosing the Vulnerability Management Metrics That Matter

With so many automated DevSecOps tools being integrated into the development lifecycle, it’s relatively easy to get the data. However, assessing and measuring everything will just leave us bogged down with endless graphs, charts, and numbers.

Teams that want their vulnerability management plan to efficiently address evolving security threats, should focus their time and attention on the numbers that matter rather than just collect everything. In addition to ensuring that your organization is one step ahead of the hackers, having the right vulnerability management metrics is also the best way to win over your stakeholders and ensure that your security management plan is getting the resources it needs, showing them a clear picture of how you are working and where there is room for improvement.

We’re here to give you the lowdown on how to get the vulnerability metrics that matter.  

Coverage: Track Your Assets

Clouds, microservices, containers, open source components, proprietary and third-party. At least some of these are likely to make up your organization’s inventory. Today’s development teams are relying on many components on multiple layers, and if you’re not keeping track of what your organization is using, how can you determine whether your vulnerability management plan is covering all of your systems?

In order to ensure that you have complete coverage of your assets and applications, you need to be on top of your asset inventory, so that you can successfully track it, and address vulnerabilities as soon as they are in your system. Automated AppSec tools like SAST and DAST, and Software Composition Analysis tools for open source components, can easily provide organizations with the data they need for solid vulnerability management metrics about their inventory and vulnerabilities.

Every Minute Counts: Time to Detection

Once you know what you have, how long does it take you to find vulnerabilities in your system?

Detection is a central phase in the vulnerability management process, and in order to ensure that your organization is doing it right, average time to detection has to be one of your vulnerability management metrics.

Issue trackers will include data like time of occurrence, time of detection, and number of incidents. This data can be retrieved on a monthly or even weekly basis, and ideally, hours will be the measurement metric that you use for your reports. Having the metrics on how long it’s taking your teams to detect vulnerabilities so that you can start figuring out how to minimize the amount of time that security vulnerabilities go unnoticed.

Against the Clock: Remediation and Patching

After assessing how long it takes your teams to detect a vulnerability, another vulnerability management metric that decision makers want is the rates of remediation and patching. Happily, patch management and vulnerability remediation processes are increasingly adopting automated solutions. This means that in addition to speeding up your security operations, tracking the data about how efficiently your development and security teams are handling remediation and patching has become much easier.

Your organization should be looking at the number of vulnerabilities found, compared to the number of vulnerabilities patched or remediated, along with how long the process took. Tracking these metrics will help organizations tighten up their vulnerability management processes to fix more issues, within a shorter window of time.

More than Just a Numbers Game: Prioritizing Vulnerabilities

With the number of known security vulnerabilities continuously rising, organizations racing to  resolve every single vulnerability as quickly as possible have no chance of winning at the security game. Vulnerability management metrics that simply provide a count of vulnerabilities and disregard how critical they are, miss the mark and leave your developers buried under piles of tickets.

In order to get a clear picture and actionable insights on vulnerability management, metrics should focus on the riskiest vulnerabilities, the ones that will have the most impact on an organizations systems and business. These are the vulnerabilities that need speedy and efficient fixes, and prioritizing them as part of your vulnerability management practices will enable organizations to manage vulnerabilities effectively.  

Measuring Up: How to Get Your Vulnerability Management Metrics Right

The need to race from one sprint to the next, in order to provide customers with the most innovative solutions, along with the increasing number of known security vulnerabilities, put security and development teams between a rock and a hard place.

Choosing the right vulnerability management metrics can help organizations keep track of their asset and application inventory, the number of vulnerabilities that require immediate attention, and the status of their remediation and patch management processes.

Once you know which numbers need crunching, it’s much easier to pinpoint the places that need improvement, and allocate the resources needed to keep both your organization’s  development pace and security on track.

Meet The Author

Ayala Goldstein

Ayala Goldstein is a writer at WhiteSource. She writes about everything open source, AppSec, and DevOps.

Subscribe to Our Blog