Stalking the right software security metric

Zach Gemignani from JuiceAnalytics posits the following rules for a Choosing the Right Metric

One of the best tools for security metricians are static analysis tools, let's see how they compare to the four dimensions.

Actionable - Static analysis findings are actionable because the tools prescribe remediations to the security vulnerabilities they find

Common interpretation - Generally this is the hardest thing to get "out of the box", common interpretation for security metrics usually requires mapping to policy, architecture, and/or standards that are agreed on.

Accessible, creditable data - Static analysis conducted against an objective set of rules that can be customized provide a good way to both see the rule and verify its logic.

Transparent, simple calculation - a MetriCon 2.0 Fredrick DeQuan Lee from Fortify showed a nice simple calculation for grading applications, it is based on the Morningstar model for grading mutual funds

1 Star: Absence of Remote and/or Setuid Vulnerabilities

2 Stars: Absence of Obvious Reliability Issues

3 Stars: Follow Best Practices

4 Stars: Documented Secure Development Process

5 Stars: Passed Independent Security Review

I am big fan of maturity continuums such as this (if you can't get one star there is not a lot we can do for you), because it gives you a fixed point and something to shoot for to improve. This is just one example, but I think static analysis tools are the best security metrics tool we have in software security.

Got ideas for the "right" security metric? MetriCon 3.0 is coming up soon!