Technical Whitepaper - "Tracking Performance of Software Security Assurance - 5 Essential KPIs"

Hi everyone, today I'm happy to announce that my technical whitepaper titled "Tracking Performance of Software Security Assurance - 5 Essential KPIs" is available for public distribution!


You can get your copy right here, and feel free to share it, provide feedback in any of the many forums you can find me in, and discuss!  I'd love your feedback on how to make the next version better.

Deelima | ‎10-14-2011 08:44 PM

Raf, great white paper and really articulates how important these KPI's are from less mature and old fashion metrics.  Would these KPI's be the same for customers wanting to move to the Cloud and given the risks - almost mandatory to establish prior to executing? 


Thanks Denise

InfosecChap | ‎10-16-2011 01:50 AM

Agree entirely about using KPIs, though I wonder how one relates software defects to security vulnerabilities?  Is it possible to have zero defects but to have plenty of vulnerabilities?  Or to have no vulnerabilities but still to have defects.  Or are the defects only security defects, in which case fair point.


I'd be interested to know how this works in reality:  I suspect that most software producers just want to get their product into production, rather than undertake vast historical analytics.  When I read the title I expected a view on SIEM; I'd be interested to know what operational security KPIs you are currently using, other than patching perhaps.  I guess that having all in one place would enable an holistic approach to be implemented.



Rafal Los (Wh1t3Rabbit) | ‎10-19-2011 09:33 AM

@InfoSecChamp -

  Thanks for the fantastic feedback!  I've been thinking on that topic for a while now, and while this initial focus is on Software Security program effectiveness, there is a much broader initiative to help IT (and Security as a function thereof) going on in HP called "ITPS"... there is also a community on LinkedIn around this called Discover Performance ... we're thinking broadly on the topic and it's going to be a long-term goal of ours to figure out how IT Security 'stuff' fits into the notion of "How does IT support the business?".


Stay tuned!  And in the mean time, give this a look (HP Discover Performance) ...for now it's still missing the 'Security' bit - but I'm working on that.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation