To measure is to know.

Measuring web application security is critical to the program’s success. Chief Information Security Officers (CISOs) and other professionals in charge of the program need data intelligence to monitor technologies, processes, and people managing the processes. The metrics also become significant in reporting the efficiency of app sec program to the senior management members.

However, what is it that you should measure and monitor? What are the key indicators of success of your web application security program? We bring you the most efficient questions within three categories to establish set of metrics for you and your team.

Number of Current Vulnerabilities and Their Severity

A vulnerability is a weakness that allows a hacker to breach your application.

At any given time, this is the most important piece of application security metric that you should have. Whether you are using automated testing, penetration testing/ethical hacking or a combination of both, the report should highlight exposure in detail.

A more comprehensive view of these vulnerabilities will also emphasize on risk severity and business risks of each vulnerability.

Application Security Metrics 1

 Security Metrics Severity

These figures will help you prioritize remediation action and decrease the exposure risks.

Find out about business risks in the OWASP Top 10 Vulnerabilities Playbook

Why: The number of vulnerabilities and their severity is directly proportional to the attack risk.

 

Age of Vulnerability

According to the Web Application Security Statistics Report, it takes fixing critical vulnerabilities takes 146 days on average. That’s five months for hackers to try different attack methods. Can you really afford that?

Average days to fix vulnerability

If you are missing the age in the vulnerability testing reports, chances are that they will stay there for weeks, even months. How long has it been since a given vulnerability was first discovered? You need to fully understand the business impact of Critical, High and Medium loopholes and ensure that they are remediated or protected through a Web Application Firewall.

Why: Without patching or protection, attackers get time to try out various exploitation methods.

 

New Vulnerabilities Introduced

The rapid rate of application development and updates often lead to increase in vulnerability data. While you are struggling to keep up with the old issues, there are chances that new releases bring in new, even more severe issues within the application.

zero day report

Number of new vulnerabilities is a key application security metric especially with new releases and updates. It helps security professionals take informed decisions of making the new application version secure.

Why: Number and severity of new vulnerabilities help CISOs monitor recent risks.

 

Average Time to Fix

It takes 146 days to fix a critical vulnerability. Will the hackers wait to exploit? If you team really pushing the fixes proactively?

For most new-age companies, time to fix reported vulnerabilities is a headache. Even critical ones can stay in the software for weeks. With this app security metric in place, companies can start focusing on lowering the fixing time frame, especially if you are not behind any virtual patching and hack prevention.

Why: High average fixing time highlights open risks days and allows tracking patch development efficiency.

 

Number of Business Logic Vulnerabilities

Some security loopholes are exclusive to your business. These are business logic vulnerabilities that arise due to logical flaws in the business function or flow. Since no automated tool will know about your business flow, they will not detect these vulnerabilities either.

New-age business and cloud companies should look for comprehensive vulnerability testing, which also deals with logical flaws of the business. Ideally, it should combine frequent automated testing with manual penetration testing by security experts. Business logic vulnerabilities should be resolved at the earliest.

Why: Business logic vulnerabilities are critical and should be fixed on priority. 

 

Category: Attack Intelligence

Attacks on Existing Vulnerabilities

An intelligent web application firewall not only blocks the attack but also studies traffic and attack vectors to assimilate patterns and behaviours. For instance, AppTrana is designed to sync data between web application scanning and firewall to learn about exploitation attempts. If a single vulnerability is targeted repeatedly, it not only blocks those attempts, it also alerts the security team and customer about the attempts.

Number of attacks

Why: Frequent attack on a vulnerability denotes that hackers know about the issue and are just finding ways to crack it.

 

Most Attacked URIs

Do you know which are the most attacked pages of your site? Look at these three pieces of information and tell us which one makes more sense.

a) Your website was attacked 53 times last month.
b) Hackers attempted to exploit vulnerability on Page A (23 attacks), Page B (20 attacks), and Page C (10 attacks).

 

DDoS Attack URI

The second one is, without a question, more intelligent insight that will lead to actions. For instance, Page C is our payment gateway and requires immediate attention. Keeping an eye on URI metrics is essential in prioritization.

Why: Important URIs take precedence in risk remediation for their business impact.

 

Attack Origin

Going a step deeper, wouldn’t it help if you have the attack number separated by country and IP addresses? The next generation of attack intelligence will not only tell you about attacks but also where they originate from.

cyber attack countries

Why: Certain IP sets or country can cause huge damage to your business. Identify them proactively.

 

Zero-day Attacks

Zero-day vulnerabilities have notoriously causing data breaches. A zero-day means it’s zero days from when anyone knew about it, so no one’s fixed it.

So, if there is no patch, how do you prevent attacks? The only way to consistently prevent such breaches to your web applications is to get into the mind of a hacker, profile their behaviour, and track their intent before they’ve attacked.

waf blocking

You should have readily available data on how many zero-day vulnerabilities were found on the website and how they were protected. Indusface sends a weekly report to all its customers along with a publicly available zero-day report every month.

Why: No business can prepare against zero-day attacks. Ensure that you have proactive protection.

 

Category: Threat Analytics and Self Learning

Historic Attack Data

Most security professionals are busy dealing issues as and when they see them. This includes periodic testing, patching when required and dealing with DDoS when there’s an outage. However, the future of application security is in round-the-clock hack prevention.

Cyberattack IP

Machine-learning and expert intelligence has changed everything. Collecting, monitoring, and analysing past threats will help your security team develop patterns and to create protection against future threats.

Why: Numbers and patterns from previous attacks help ensure protection in future.

 

Ill-reputed Identity (IPs, hacked tracking IDs) Labels

An extensive, studied, and labelled database is cornerstone of web application security metrics. How difficult would it be to stop DDoS attack if you already know that the attacking IPs are of ill repute? Would it really take any time to block them all?

While this is a difficult process of manage in-house, managed security providers can help. For instance, AppTrana collects data from its 900+ customers and uses it as a standpoint to define, categorize and label identities based on several red flags.

Why: Studied attack patterns and behaviour help build future blocking and protection policies.   

Application Security Metrics Checklist

Keeping your application secure is a team effort. Although it is a long-term process, you can start today by getting the right numbers and asking the right questions.

Build your foundation on these three things.

  • Do you have number and criticality of all vulnerabilities?
  • Are they patched? If not, are they behind WAF protection?
  • Are you monitoring, collecting and analysing attack patterns?

Having trouble with these numbers? Sign up for AppTrana for Free to get your own managed security team to help setting up continuous hack prevention.

Or you can start with AppTrana Free Plan to to at least detect the basic vulnerabilities before hackers discover and exploit them.

Start Free Forever Plan

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.