DevSecOps involves the integration of security throughout the entire software development and delivery lifecycle, representing a cultural shift where security is a collective responsibility for everyone building software. By embedding security at every stage, organizations can identify and resolve security issues earlier in the development process rather than during or after deployment.<\/p>\n
Organizations adopting DevSecOps often ask, \u201cAre we making progress?\u201d<\/em> To answer this, it\u2019s crucial to implement metrics that provide clear insights into how an organization\u2019s security posture evolves over time. Such metrics allow teams to track progress, pinpoint areas for improvement, and make informed decisions to drive continuous improvement in their security practices. By measuring the changing patterns in key indicators, organizations can better understand the impact of DevSecOps and make data-driven adjustments to strengthen their security efforts.\u00a0<\/p>\n Organizations commonly have many DevSecOps metrics that they can draw from. In this blog post, we explore two foundational metrics for assessing DevSecOps success.\u00a0<\/p>\n 1. Number of security vulnerabilities over time<\/strong><\/p>\n Vulnerability analysis is a foundational practice for any organization embarking on a software security journey. This metric tracks the volume of security vulnerabilities identified in a system or software project over time. It helps organizations spot trends in vulnerability detection and remediation, signaling how promptly security gaps are being remediated or mitigated. It can also be an indicator of the effectiveness of an org\u2019s vulnerability management initiatives and their adoption, both of which are crucial to reducing the risk of cyberattacks and data breaches.<\/p>\n 2. Compliance with security policies<\/strong><\/p>\n Many industries are subject to cybersecurity frameworks and regulations that require organizations to maintain specific security standards. Policies provide a way for organizations to codify the rules for producing and using software artifacts. By tracking policy compliance over time, organizations can verify consistent adherence to established security requirements and best practices, promoting a unified approach to software development.<\/p>\n The above metrics are a good starting point for most organizations looking to measure their transformation from DevSecOps activities. The next step \u2014 once these metrics are implemented \u2014 is to invest in an observability system that enables relevant stakeholders, such as security engineering, to easily consume the data.\u00a0<\/p>\n Organizations interested in evaluating their container images against these metrics can get started in a few simple steps<\/a> with Docker Scout<\/a>. The Docker Scout web interface<\/a> provides a comprehensive dashboard for CISOs, security teams, and software developers, offering an overview of vulnerability trends and policy compliance status (Figure 1). The web interface is a one-stop shop where users can drill down into specific images for deeper investigations and customize out-of-the-box policies<\/a> to meet their specific needs.<\/p>\n <\/a>Figure 1: <\/strong>Docker Scout dashboard.<\/p>\n Furthermore, the Docker Scout metrics exporter<\/a> is a powerful addition to the Docker Scout ecosystem to bring vulnerability and policy compliance metrics into existing monitoring systems. This HTTP endpoint enables users to configure Prometheus-compatible tools to scrape Docker Scout data, allowing organizations to integrate with popular observability tools like Grafana<\/a> and Datadog<\/a> to achieve centralized security observability.\u00a0<\/p>\n Figures 2 and 3 show two sample Grafana dashboards illustrating the vulnerability trends and policy compliance insights that Docker Scout can provide.<\/p>\n <\/a>Figure 2: <\/strong>Grafana Dashboard \u2014 Policy compliance.<\/p>\n Figure 2 displays a dashboard that illustrates the compliance posture for each policy configured within a Docker Scout organization. This visualization shows the proportion of images in a stream that complies with the defined policies. At the top of the dashboard, you can see the current compliance rate for each policy, while the bottom section shows compliance trends over the past 30 days.<\/p>\n Figure 3 shows a second Grafana dashboard illustrating the number of vulnerabilities by severity over time within a given stream. In this example, you can see notable spikes across all vulnerabilities, indicating the need for deeper investigation and prioritizing remediation.<\/p>\n <\/a>Figure 3: <\/strong>Grafana Dashboard \u2014 Vulnerabilities by severity trends.<\/p>\n Docker Scout metrics exporter is designed to help security engineers improve containerized application security posture in an operationally efficient way. To get started, follow the instructions in the documentation<\/a>. The instructions will get you up and running with the current public release of metrics exporter.\u00a0<\/p>\n Our product team is always open to feedback on social channels such as X<\/a> and Slack<\/a> and is looking for ways to evolve the product to align with our customers\u2019 use cases.<\/p>\n Visit the Docker Scout<\/a> product page.<\/p>\n Looking to get up and running? Use our Docker Scout quickstart<\/a> guide.<\/p>\n Have questions? The Docker community is here to help<\/a>.<\/p>\n New to Docker? Get started<\/a>.<\/p>\nKey DevSecOps metrics<\/h2>\n
DevSecOps insights with Docker Scouts<\/h2>\n
Conclusion<\/h2>\n
Learn more<\/h2>\n