What are the web application security KPIs?

Cybersecurity + Defense + blog Z. Oualid today

share close

Cybersecurity is one of the most and critical jobs in a company. Unfortunately, most people do not know how to explain and defend this aspect. To be able to defend your security work and investment, you need to quantify the job you are doing. Therefore, here is eight web application security KPIs designed to specifically measure the security level of your website:

  • Number of security incidents
  • Level of preparedness
  • Mean Time to Detect
  • Mean Time to Resolve
  • Patching cadence
  • Vendor patching cadence
  • Cost Per Incident
  • Web application uptime

If you want more details and examples about theses KPIs just keep reading!

Before we even start to talk about those KPIs I would like you to know that most of the following KPIs are based on the monitoring. I mean if you want to quantify your job you will need to put in place a monitoring system to retrieve most of the following KPIs.

Number of security incidents

I think the very first and easiest KPI you can start tracking in your security dashboard, is the number of security incidents. This KPI helps you quantify your daily work by counting the number of action performed by the team to deal with some security incidents that happen in your application.

You can also start calculating the differentiation of security incidents between each day of the year to know if there is an increase or decrease in those incidents. This is by the way a good KPI to track to be able to justify your security budget.

Trust me when your team member starts being comfortable with the security incidents in terms of actions to do and the manipulation of the security tools, you will definitely notice an increase in security incidents. In addition, even by adding some security solution to your system, you will notice an increase in the number of security incidents.

Just to give you an example of what a security incident, may look like. A security incident could be as simple as a bot or someone scanning the web application server or app. It could also be multiple failed authentications …  

Level of preparedness

The level of preparedness means the number of applications or components that are fully patched. To be honest, this KPI is very hard to calculate especially when we are dealing with a custom application that was developed for the company needs only. Let me explain why with an example:

If you have a website made by WordPress, then this level is easily calculated by counting the number of patched plugins in your website as the vulnerabilities are already public. Now when we talk about the level of preparedness in a custom application, the vulnerabilities are not known. In addition, the vulnerabilities are not known which makes it even harder.

Now, to solve this issue and to be able to calculate this KPI, all you need to do is performing a periodic penetration test against your app. Then, you will be able to know the number of vulnerabilities you have in your app. After that, to know how many vulnerabilities are patched, you can perform a verification penetration test mission (most of the time the service provider does this for free).

Most security standards recommend performing a penetration test every 6 months.

Mean Time to Detect

The mean time to detect security incidents is an important KPI to track. As I said in the first paragraphs of this article, to be able to calculate this KPI you will need to have a monitoring system. It means that you would need to have both technical and human resources, to be able to detect the incidents.

Being able to detect the attacks that happen against your application will help you mitigate the risk of being hacked. I encourage you to take a look at the recommended monitoring tools page to get an idea about that.

Mean Time to Resolve

To resolve a security incident, the responsible person need to perfom multiple steps :

  1. Prepare the team that must intervene to solve the incident (like the dev team or security team …)
  2. Exactly identify the source of the incident and its type, by analyzing the monitoring alerts
  3. Solving the issue
  4. Recovering (in the case for example of a Ransomware attack or data lost …)
  5. Analyzing the incident to learn lessons and to be well prepared for a future attack

Therefore, to calculate this KPI, you will need to take into consideration all these steps for every security incident that happen. As always, this KPI is mainly based on the data of the monitoring system.

Patching cadence

We all know that Patching is the most difficult part of the security industry and a very time-consuming process. That is why you should keep tracking and improve this process to reduce the time need to install or even to develop a patch to the vulnerable app.

This KPI simply represents the mean time needed for your team to install or develop the patches. The more this number is going down the more the risk reduced.

When I say patching, I mean even the system vulnerabilities and the entire components related to the web application and not only the application code vulnerabilities.

Vendor patching cadence

In the patching process not only your time to implement or develop the patches that count, actually, but even the cadence in which your vendors are producing the patch also is important and needs to be taking into consideration.

This point is very critical and my advice to you is, if you found that your vendor does not respond as quickly as possible to patch his own vulnerabilities, then you should think of changing him. Patching is the most critical thing in the solution support ignoring it, will put your whole system in danger.

Cost Per Incident

This KPI indicator, help you get an idea about how much money a cyber-security incident costs you. This KPI is very important especially when you need to put a program for next year’s information security budget.

As your security program, will get mature and the number of incidents gets even higher this Cost will increase which is very normal as explained previously, and because of the business success too.

Web application uptime

Here is the best KPI in the whole list, which actually represents your good work in terms of cybersecurity. This KPI has a big impact on the others as if your web application goes down because of a cyber-security incident, then even the cost per incident will go high.

This increase in the cost is related to the amount of money that will get lost in case this even happens.

As you have seen in this article, if you want to correctly track these KPIs you will need to think seriously about the monitoring system and about investing in security solutions for a better view. To get a better idea about the best monitoring tools, take a look at our recommended tools page I have specified for each type of web application (small websites, medium, and big web applications) the best monitoring tool for it.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *