Web Application Security

PROTIP: Publish Security Scoreboards Internally

Scoreboards have been around forever, used to show who’s winning, how competitors rank, and sometimes track what has transpired. Scoreboards are seen in sports, video games, stock markets, box office sales, traffic analytics, education, and on and on. As a fundamental concept, scoreboards also have the powerful ability to harness a basic human instinct — competitiveness. Leaders at the top of a scoreboard will naturally work to preserve their position, those further down are innately compelled to fight to move up, and collectively all participants similarly driven towards a common objective. Using this influence many organizations have found that using scoreboards to measure and communicate “security” objectives can be amazingly effective at aligning business interests. Achieving similar success requires first choosing a useful and collectable set of security metrics where the organization would like to improve. Anything measured tends to improve. These metrics may be the total number of vulnerabilities, remediation rates & speed, vulnerabilities-per-input, percentage of developers passing awareness training, time exposed to serious issues, and so on. Next, start collecting data. When enough is gathered, the results are properly formatted, typically organized by subsidiary, business unit, or team, and the reports published internally for all too see. Security scoreboard leaders will be proud to see their performance recognized as they set the standard for coworkers to follow. Laggards feel a sense of pressure to do the things necessary to close the gap with their peers. Less and less will security teams have to chase down the weakest links, those needing the most help will begin seeking them out.



Tags: web application security
  • http://Www.securityscoreboard.com Dominique Levin

    This post threw me off for a second. We have a built an industry wide Security Scoreboard which rates vendors (www.securityscoreboard.com) but that is not what you mean here I guess … Still thanks for referencing our name and feel free to contribute or comment on how we can improve our version of the Scoreboard!

  • http://www.whitehatsec.com/ Jeremiah Grossman

    @Dominique Oops, sorry. I didn’t mean to step on the name like that with the blog post tile. Updated to avoid any confusion. I am very familiar with Security Scoreboard (www.securityscoreboard.com), a great site and service, and yes… the content of the post was for entirely different purpose. Please keep up the good work.