« Complexity Enemy of Web Services Security | Main | Why I Love OWASP AppSec »



Hi Gunnar,

I'd be interested to find out how you differentiate between "metric" and "statistic".


That didn't come out right. Not enough coffee and too much jetlag

- that should read:

"I'd be interested to find out how you differentiate between -the value of the different- "metrics" and -their- "statistics" to an organization."

That is to say, clearly some metrics are worth more than others. How would you arrive at how much more valuable, say, your AuthZ metric is vs. your Policy Compliance metrics?


Hi Alex,

I think it is a fair point that many of these are stats not metrics. This list came out of a rapid fire exercise in the middle of a web services security training I did last week. The point of the exercise (beyond me banging the drum for metrics) is to try to get the people in the class to reason about the security problems in a new way - instead of relying on axioms like firewalls, let's try to come up with objective measures. So stats may be used to build up metrics, where I would define a metric as stat(s) plus context. This list was compiled from me just typing in what the class came up with on the fly, so context needs to be built up.

I like to publish these lists, because there are frequently senior practitioners in the class that come up with some creative ways at looking at these problems

The comments to this entry are closed.