• Home
  • Blog
  • ZeroNorth Platform
  • Getting Security and Development on the Same Page Through ZeroNorth’s New Defect Density Dashboard

Getting Security and Development on the Same Page Through ZeroNorth’s New Defect Density Dashboard

ZeroNorth Platform

Publish Date

Nov 10, 2020

Written by

Joanne Godfrey

Tagged with

  • Application Security

Today, ZeroNorth introduces its new defect density dashboard to help security leaders engage with development leaders more effectively through a common framework that aligns software vulnerabilities with software quality. I will get to what this means in a second, but first, let’s start with a brief explanation of what defect density is.

Defect density is a standard industry metric that measures the number of defects confirmed per 1000 lines of software code. It’s often used by engineering organization to help determine the quality of software code.

ZeroNorth has developed a new variant of the defect density metric, one for application vulnerabilities. The ZeroNorth defect density dashboard, available within the ZeroNorth platform, represents the number of confirmed vulnerabilities per 1000 lines of code, normalized across the scan findings of your SCA and SAST scanning tools.

Why is this necessary and important?
First, many AppSec tools already produce their own defect density metrics; however, these metrics are calculated for the raw issues detected. Moreover, if you are using multiple scanners on the same entity (repo, build artifact) they may calculate lines of code very differently from each other – the results depend on which files or components are included in the calculation of lines of code.

Second, SCA and SAST scanners typically identify large volumes of raw issues. However, actual security vulnerabilities – ones that make it into the final product, and into production and create risk – are typically much fewer than the ones reported at this early stage of the software development life cycle. Because ZeroNorth compresses vulnerability findings from across all the scanners, the ZeroNorth defect density dashboard can provide a more realistic and early gauge of the quality and riskiness inherent in the application.

What does the ZeroNorth defect density dashboard deliver?
First and foremost, it provides a meaningful way for security and development teams to get on the same page, by framing application security defects within the context of code quality – a framework that developers understand and aligns with their KPI drivers. For example, if ZeroNorth’s defect density metrics are higher than acceptable thresholds, this indicates there are potentially issues within the code. With this insight –which aligns with their frame of reference for software quality – engineering leaders are likely to be motivated to take pre-emptive action to address quality defects within existing DevOps processes at this stage of the game. This way they can avoid costly late-stage vulnerability remediation work, which they know will disrupt their processes and could delay software delivery.

As Jim Routh, Head of Enterprise Cyber Security at MassMutual, succinctly says, “The use of defect density as a key performance indicator for software resiliency is essential to supporting the instrumentation of the development pipeline for DevSecOps professionals.”

Second, the defect density dashboard can help to assess trends around the improvement or decline of software quality over time. This information can be used, for example, to help establish a baseline for acceptable standards, measure quality against SLAs, identify any training or tools the development team may need, and ultimately help support business and operational projections regarding the quality and security of products, well before they are deployed into production.

You can read more details on ZeroNorth Defect Density Dashboard here, and check out more of Jim Routh’s thoughts on defect density and the relationship between software quality and security in this on-demand webinar.  And if you’d like to go a bit deeper, please contact us for a demo or conversation.

 


eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now

Videos

Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

Cybersecurity

ZeroNorth’s DevSecOps Platform Makes Another Journey Around the Sun!

By ZeroNorth Apr 29, 2021

Happy second birthday to ZeroNorth! Today marks two years of our ongoing dedication to helping organizations build and maintain successful application security programs. By furthering the ...

Read More
Driving Revolution

DevSecOps

How ZeroNorth is driving the DevSecOps revolution for the good of software

By Joanne Godfrey Oct 8, 2020

Where software was once on the sidelines of organizational success today, it is front and center—with businesses under more pressure than ever before to deliver more ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, needing enterprise AppSec visibility or to fully integrate AppSec into DevOps.