/jul 11, 2022

How to Leverage Self-Service Peer Benchmarking to Manage and Measure Your Software Security Program

By Devin Maguire

It is not hard to set application security goals. Security teams want to reduce risk. Developers want to quickly meet the requirements of security policy and hit deadlines. Executives want growth within their risk tolerance. What is hard is defining an appropriate level of risk and measuring whether your AppSec program is efficient, effective, and returning expected outcomes based on your investments. While internal analytics can measure directional progress and performance, they do not offer the context to understand if the progress and performance is above, at, or below average. Peer benchmarking gives you that context.

Veracode’s self-service peer benchmarking puts the power of our unparalleled data into your hands so you can measure against peer organizations to identify strengths and weaknesses, track KPIs, leverage security as a competitive advantage, and more. There are four essential elements necessary to deliver self-service peer benchmarking:

  • A broad and diverse customer base against which to benchmark
  • A multi-tenant SaaS solution that aggregates data across this customer base
  • Deep experience translating this data into actionable insights to inform decisions
  • The ability for customers to leverage this data in a secure and self-serviceable way

As a leader in application security with nearly two decades of aggregate customer data scanning trillions of lines of code – and over a dozen years’ experience leveraging this data to inform the industry of trends and best practices via the annual State of Software Security (SOSS) report – Veracode is uniquely able to deliver peer benchmarking. And while peer benchmarking is not new for Veracode, now we are delivering it in a self-service manner so you can tap into this data to generate the most relevant and meaningful benchmarks for your organization. 

With self-service peer benchmarking, you can measure your flaw and remediation performance against subsets of the Veracode community. Initially, you can benchmark four metrics (fix rate, time to remediation, percent of application with flaws, and percent with high severity flaws) against three peer groups (all Veracode customers, peers in your industry, and peers with a similar number of applications).

For example, you can compare your time to remediation against all Veracode customers to measure the efficiency of your AppSec program. Or you can benchmark the percent of your applications with high-severity flaws against peers in your industry to gauge your security posture. The value in peer-benchmarking, however, does not just come from a single snapshot but also from the ability to track performance by viewing reports on-demand.

Here are three ways you can use peer benchmarking as part of your AppSec strategy.

Use peer benchmarking to identify strengths and weaknesses and drive conversations to improve the efficiency and effectiveness of your AppSec program.

Many organizations struggle to understand the current state of their application security program, define what “good” looks like, and identify where they are strong and where they need to improve. Self-service peer benchmarking lets you measure your application security and remediation performance against peer Veracode customers. And unlike the annual SOSS report which dives into macro trends, self-service peer benchmarking lets you generate on-demand “apples-to-apples” comparisons to explore the trends most relevant to your organization.

But as the adage goes, “Knowledge without application is simply knowledge. Applying the knowledge is wisdom.” In the case of peer benchmarking, you can apply learnings to diagnose issues and proactively prescribe programs and strategies to improve the efficiency and effectiveness of your AppSec program.

Return to the example above where you benchmarked your time to remediation. Without peer benchmarking, it is challenging to first diagnose time to remediation as an area of concern, quantify the issue, and then communicate to leadership and influence strategy. However, with peer benchmarking, you can immediately identify an issue, instigate discovery into your current state, and generate conversations around how to improve. That conversation should include dialogue with Veracode customer success managers to assess strategies and programs like Security Labs which correlates with a 35% reduction in the half-life of flaws. It is not about simply knowing where you are relative to peers. It is about pairing this knowledge with prescribed fixes and prioritization to achieve goals and outcomes.

The next step is tracking those outcomes.

Use peer benchmarking to track KPIs and measure performance over time.

As stated above, the value of peer benchmarking is not just in measuring where you are today but also in viewing on-demand reports over time to assess the impact of effort and investments. Veracode offers a robust suite of analytics to manage and measure your security posture and performance. Peer benchmarking supplements these internal-facing analytics with comparative metrics against peers in your industry or with similar application portfolios. This provides essential context to gauge the delta between where you are today and where you want to be, define appropriate KPI goals at the outset, and then track performance against those goals moving forward.

Staying with the example above, let us say you implement Security Labs courses to improve time to remediation. Without benchmarking, you could measure the effect but would struggle to first define a target KPI (What time to remediation should we target?) and then assess the degree of improvement (For our investment, are our outcomes good, bad, or exceptional?). With peer benchmarking, you know where you are relative to peers to define your target KPI (We want to reduce time to remediation by six weeks to be at the mean remediation time for our industry) and can then measure against a benchmarking KPI to assess the effectiveness of your effort (after completing Security Labs courses, our average time to remediation is now at or better than the mean for our industry).

Use peer benchmarking to quantify AppSec strengths and leverage security as a competitive advantage.

It takes a lot of hard work to build a mature AppSec program and deliver secure software. That hard works pays off with lower risk, faster time to compliance, and more resources available to create innovative features and functionality. It also pays off in conversions. As security becomes an increasingly significant customer decision factor, building trust and confidence with customers and prospects translates into higher revenue and customer retention.

Certifications like Veracode Verified are one way to build this trust and confidence. Another way is peer benchmarking. Peer benchmarking gives your go-to-market teams quantifiable metrics to demonstrate security-based strengths in customer-facing conversations. When you can show objective verification that your solution has fewer flaws and a lower risk profile than other industry offerings, you should – and now can – leverage that to win more business

What’s next for self-service peer benchmarking?

The use cases above only scratch the surface for self-service peer benchmarking – especially as we expand the metrics and variables you can leverage to generate reports. So, how do you envision peer benchmarks informing your AppSec strategy? What metrics would generate the most actionable insights or have the greatest impact? Is it the ability to further refine peer groups by tech stack and coding languages? Correlations between platform usage and outcomes? Predictive analytics and recommendations? Something else???

Contact us to share your ideas and speak with the team about self-service peer benchmarking. 

Related Posts

By Devin Maguire

Devin is a Sr. Product Marketing Manager helping customers confidently deliver secure software faster by placing developers and security practitioners at the fulcrum of Veracode’s product positioning and messaging.