From the course: DevSecOps Metrics and Continuous Improvement
Join today to access over 25,500 courses taught by industry experts.
Percentage of code scanned for security
From the course: DevSecOps Metrics and Continuous Improvement
Percentage of code scanned for security
- [Instructor] Now let's talk about the false positive rates of security tools, a key metric for DevSecOps efficiency. False positive rates, or FPR, measures the percentage of alerts from security tools like SAST or DAST that incorrectly flag issues when no vulnerability exists. High FPRs waste developer time, erode trust in tools, and slow down remediation. Lowering FPRs boost accuracy and keeps your pipeline efficient. In DevSecOps, this means focusing on real threats without distractions. Here's the formula, divide false positives by total alerts and multiply by a hundred. For example, if a SAST tool generates a hundred alerts and 20 are false, that's a 20% FPR. This is a really interesting graph from Expel and it really shows how organizations struggle with high false positive rates and how it can impact the efficiency of your organization, especially if you're trying to achieve DevOps. You can see that it doesn't really…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Adding security metrics to DevOps2m 58s
-
Security test coverage3m 20s
-
Mean time to detect (MTTD) vulnerabilities6m 15s
-
(Locked)
Mean time to remediate (MTTR) vulnerabilities5m 32s
-
(Locked)
Vulnerability density4m 29s
-
(Locked)
False positive rate of security tools4m 26s
-
(Locked)
Percentage of code scanned for security4m 26s
-
(Locked)
Compliance adherence rate4m 37s
-
(Locked)
Incident response time for security events5m 3s
-
-
-
-
-