DJ is a DevSecOps pioneer, creator of The DevSecOps Experiments, a DevSecOps Evangelist, and a Security Architect. He provides thought leadership to organizations adopting DevSecOps practices worldwide. DJ specializes in designing DevSecOps pipelines and automating security controls in DevOps environments. He is also an ethical hacker and performs significant R&D work in Moving Target Defense.
DJ has worked to streamline the development practices for many Fortune 100 organizations by focusing on culture, technique, the right technology, and the goals of the business. He is an international speaker, blogger, instructor and author in the DevSecOps community where he encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.
Session: Imperial vs. Metric & Why Defect Density Sucks
When you want to know what the temperature is outside you have two ways to do it. You can lick the tip of your finger, stick it out a window, and get a feeling of the temperature, or you can look at a thermometer placed outside your window and see an accurate reading.
Defect density, flaw density, or whatever you want to call it is an absolutely useless measurement. Not only can the number be easily gamed, It doesn't factor in vulnerabilities entering through the Software Supply Chain. I'm going to dig deep into a different calculation of security risk - The Application Security Health (ASH) score - and discuss the algorithms used to represent the security health of an application.