Today, ZeroNorth introduces its new defect density dashboard to help security leaders engage with development leaders more effectively through a common framework that aligns software vulnerabilities with software quality. I will get to what this means in a second, but first, let’s start with a brief explanation of what defect density is.
Defect density is a standard industry metric that measures the number of defects confirmed per 1000 lines of software code. It’s often used by engineering organization to help determine the quality of software code.
ZeroNorth has developed a new variant of the defect density metric, one for application vulnerabilities. The ZeroNorth defect density dashboard, available within the ZeroNorth platform, represents the number of confirmed vulnerabilities per 1000 lines of code, normalized across the scan findings of your SCA and SAST scanning tools.
Why is this necessary and important?
First, many AppSec tools already produce their own defect density metrics; however, these metrics are calculated for the raw issues detected. Moreover, if you are using multiple scanners on the same entity (repo, build artifact) they may calculate lines of code very differently from each other – the results depend on which files or components are included in the calculation of lines of code.
Second, SCA and SAST scanners typically identify large volumes of raw issues. However, actual security vulnerabilities – ones that make it into the final product, and into production and create risk – are typically much fewer than the ones reported at this early stage of the software development life cycle. Because ZeroNorth compresses vulnerability findings from across all the scanners, the ZeroNorth defect density dashboard can provide a more realistic and early gauge of the quality and riskiness inherent in the application.
What does the ZeroNorth defect density dashboard deliver?
First and foremost, it provides a meaningful way for security and development teams to get on the same page, by framing application security defects within the context of code quality – a framework that developers understand and aligns with their KPI drivers. For example, if ZeroNorth’s defect density metrics are higher than acceptable thresholds, this indicates there are potentially issues within the code. With this insight –which aligns with their frame of reference for software quality – engineering leaders are likely to be motivated to take pre-emptive action to address quality defects within existing DevOps processes at this stage of the game. This way they can avoid costly late-stage vulnerability remediation work, which they know will disrupt their processes and could delay software delivery.
As Jim Routh, Head of Enterprise Cyber Security at MassMutual, succinctly says, “The use of defect density as a key performance indicator for software resiliency is essential to supporting the instrumentation of the development pipeline for DevSecOps professionals.”
Second, the defect density dashboard can help to assess trends around the improvement or decline of software quality over time. This information can be used, for example, to help establish a baseline for acceptable standards, measure quality against SLAs, identify any training or tools the development team may need, and ultimately help support business and operational projections regarding the quality and security of products, well before they are deployed into production.
You can read more details on ZeroNorth Defect Density Dashboard here, and check out more of Jim Routh’s thoughts on defect density and the relationship between software quality and security in this on-demand webinar. And if you’d like to go a bit deeper, please contact us for a demo or conversation.