Product
Resources
Product
Resources

Security Metrics Automation

As you add more projects and run more testing, Uleska acts as a centralized repository of this information across your teams and security tools. Through the act of coordinating your security automation, and applying risk and issue categorization, Uleska is implicitly able to track security data, including:

  • Number of application projects tested
  • Number of vulnerabilities per project, per team, and across the organization
  • Time that vulnerabilities are found, fixed, and trends over time
  • Risk estimations per issue, application, team, and across the organization
  • Average risk and number of issues per project and team
  • Issue categorization (against OWASP ASVS categories)
  • More metrics are coming soon

For an overview of Uleska Security Metrics, check out the following video:

 

Security Metrics Overview

These metrics are automatically collected as security testing is orchestrated and aggregated through Uleska, across your projects. Uleska records a marker of metrics every Sunday night for historical tracking purposes. You can view these charts and metrics in the default charts included in the Uleska user interface.

Note that the default charts and graphs represent a core set of useful information for many users, and that this information, and more, is also available through the Uleska API. You can use this API to extract lots of statistics from Uleska and build your own dashboards or charts.

Visible Roles

Currently, the charts and metrics can be viewed by the Customer Administration role and the Executive role. The Application Manager role doesn't currently have access to the Analytics and Financials tabs.

Analytics

Under the Analytics tab you will find pre-built analytics charts for your organization.

The span of projects represented by this Analytics chart depends on the range of applications the current user can view, i.e. the Team the current user is in. If the current user has visibility of all projects, then all will be represented in this chart. If the current user instead has visibility of a sub-team, then this chart will only show aggregated data on the projects in that sub-team. See *** Teams *** for more details on the Uleska team structures.

 

Security Analytics

This first chart that is shown is the overall risk levels for vulnerabilities across your teams and applications.

RiskCharts

This bar chart lets you measure your current risk against previous weeks, showing trends in the risk for the last 11 weeks. At the top you will be shown the current risk level ($742,000 in this example) along with the risk value increase or decrease over the last 4 weeks.

This risk information is automatically taken from the weekly snapshots of risk recorded by UIeska as testing is automated through it.

Note that the current week will represent all current testing scans between the current time and the last Sunday night - meaning that if you find brand new issues they will be included in the latest bar chart and information on this screen (you don't need to wait until the next Sunday).

 

Vulnerabilities Chart

Clicking on the 'Vulnerabilities' tab above this chart will show you current and historical charts of the number of vulnerabilities across your projects.

vulnchart

Again this shows you a historical bar chart on the numbers of vulnerabilities found across projects. It is handy to move between this chart and the previous risk chart, where you can quickly see how some rises or falls in the number of vulnerabilities affect the risk stature. For example, in these screenshots, we can see that an increase in 7 new vulnerabilities in the last 4 weeks (around 5% increase) has increased the risk by over $550,000 (around a 74% increase in risk).

 

Applications Onboarded Chart

The 'Applications' tab above this chart then shows you the number of applications that have been onboarded to the Uleska Platform with an 11-week historical trend.

appschart

This lets you know the rate of onboarding for the last few months, and lets you easily know how many apps are onboarded. You can use this to compare against the expected number of applications you wish to be tested through the Uleska Platform. Again you can quickly switch between this tab and the risk or vulnerabilities tabs to better understand your security story over the last few months. E.g. maybe your risk and number of vulnerabilities have gone up simply because more apps are being tested, which gives you confidence that visibility is improving? Or maybe the risk has gone up but the number of apps has not.

 

Highest ASVS Risks Chart

Scrolling down the Analytics tab shows you the top 5 categories of ASVS which are resulting in the most risk.

top5chart

Issues across applications in the Uleska Platform that have their CVSS and ASVS categories set will register in this donut chart to help you understand where your biggest risks are coming from. This lets you know where the gaps seem to be and can inform strategy on how to deal with them (e.g. online training on certain topics, brown bag sessions, etc).

As you continue to fix issues and develop your applications, this top 5 ASVS risks chart will continually update, reflecting the current state of vulnerabilities, so you can keep referring to it.

Security Teams Metrics

At the bottom of the Analytics page you can view the teams metrics table, which shows statistics from each team, including:

  • Number of sub-teams
  • Number of applications owned by that location or team
  • Total number of vulnerabilities currently in the security backlog for that location or team
  • Total risk aggregated for that location or team
  • Average risk per application (total risk / number of applications)
  • Trend indicators for risk rises and falls over the last few weeks

This table allows teams to be compared in terms of risk and vulnerabilities. If you click on a row (location or team) and there is a sub-team(s), then the table will expand to show the metrics for them also.

 

Security Metrics & Trends Automation

Under the Financials tab you will find pre-built overviews of the risk performance of various teams in your organization.

financialsglobal

This tab shows the current risk associated with the high-level locations/teams configured, along with changes over the last week to:

  • Number of onboarded applications
  • Number of current vulnerabilities
  • Current total risk
  • Current average risk (total risk / number of applications)
  • You can also see the historical trend in risk in the bar chart.

The security metrics are presented for the Global (everyone) ‘team’ which represents all applications in your customer entity (essentially everything), and then further security metrics and charts are generated for each top-level team, such as ‘Atlanta’, ‘Belfast’, and ‘Amsterdam’ as shown above.

If you create further top-level teams, they will dynamically be added to this charting and metrics reporting. Note that you can have as many top-level teams as needed, and the charts presented on these screens can be copied and pasted into your own reports.

The metrics and charts presented for each team includes security statistics for applications (vulnerabilities and risk) assigned to that top-level team or assigned to all sub-teams (i.e. it all rolls up).

Clicking on any of the top-level teams in the tab at the top will update the display to focus the metrics on that location / team, along with displaying the financials table for sub-teams at the bottom of the page.

financialsbelfast