Session Name: Velocity + Safety: Security Metrics All DevOps Should Care About
DORA metrics have changed the way engineering organizations think about everything from delivery to production engineering. They have proven to be the backbone for how we quantify our engineering quality, and have served to evolve the industry to strive for greater safety alongside better delivery practices. The security world needs to level up and derive similar benefits through measurement. In this talk we’ll unveil first of their kind security DORA metrics that should be the backbone for measuring and optimizing security posture in every engineering organization. We’ll focus on metrics such as security MTTR (mean time to remediation) and CFR (change failure rate in the form of security vulnerabilities), security detection rate, exposure window, findings over time, and demonstrate how these too directly map to engineering maturity and velocity. You’ll come away from this talk understanding how you can extract from the open source security tools you are using today (or can adopt quite rapidly) the relevant data and telemetry that will provide transparency around security goals and performance, making it possible to continuously improve your security engineering culture and posture, without compromising velocity.