the lesson 3.3.
We're gonna talk about def sec up metrics. So it's important to
be able to measure the impact on the system and also how well you're doing.
So, Dev Ops very already has their own metrics. So we're gonna look at what we need for security components.
The lesson objective. Just wanted to find what what needs to be measured. Critique some of the security specific metrics, differentiate between categories and metrics and develop some metrics for def SEC ops Implementation
the 1st 1 to said Measure and assess securities impact.
And there's ah, KP. I hear that that they had missed secure software
development framework defines p 0.4. So is it important that we need to define these key performance indicators?
What we want to do is the measure to quantify the risk
track integration impacts Definitely mentioned Devil Party has their own, but we need their own distinct security metrics,
and we also need to measure the impact. So we want to see how how ah, the metrics for before security components went in there, and then how how they're reacting after where the's security tools are introduced into the pipeline
So some of the 1st 1 who is lead time Metric said, This is a capacity to respond, change, deliver requested security features.
And then I'm gonna can go through just a couple ideas of metrics and categories. There's plenty more out there. Just just kind of get you thinking about what you would need for it was implementing def SEC ops in your enterprise.
We want to look at the average lead time. Which the Delta between acquired running? Look at the velocity for the developers.
Uh, the cycle time, time to value trends.
So quick. Question. Just toe jump in.
Who will use metrics or in the organization when you get these, where where will they be used and for what purpose?
So I can think of plenty of things, so they're meant to be developers. They maybe look at their own productivity.
The operations may be looking at the actual deployment
security. Wigan would be interested in measuring the quality of the code again, the impact on the Dev ops and then the executives are very interested in the impacts how well things were functioning, how well each individual is, how where the system is anything like that
to some deployment metrics, which is the health of employment process. Leading indicators of the application stability.
So, again, we re looking at time to deploy maybe how long it takes the new version to get to production, which is a speed, how frequent you can deploy, how long it takes to fix failed releases
and how often software fails. So the production failure rate. It's another way of naming this
in the mean time to repair its How fast can threats be mitigated? How fast could services be restored? So these air security specific. So who interested in
triaging investigating remediated each one of these steps, how long they take
and then the meantime to recovery? Which is how do we recover from a failure in a production?
Here's a quick quiz
in which category of metric is time to triage? Is that lead time deployment or mean time to repair
part of the first step before investigation and remediation can occur?
So in this lesson, we talked about integrating depth, stickups, metrics and
how we would do that. What we interested in measuring and the next lesson will just take a look at how to help developers with security concepts and tools, so providing them what they need to securely write code, and so there's less testing that needs to be done afterwards.