DevSecOps Metrics and KPIs: What to Measure, What to Report, and What to Ignore

Before covering what to measure, clarify what to stop measuring and reporting as program health indicators.

Total vulnerability count: Reporting "we found 15,000 vulnerabilities this quarter" tells leadership nothing actionable. Finding count is a function of how many applications you scanned, how many scanners you deployed, and how sensitive your thresholds are -- not of how secure your software is. Organizations that expand scanner coverage will see finding counts increase even if underlying code quality improves.

Scan coverage percentage: "85% of repositories are scanned" sounds like progress but does not indicate whether the scanning is finding real issues, whether developers are remediating findings, or whether the scan configuration is appropriate for each application type.

Critical finding count in isolation: A single critical finding that is fixed in 2 days is better than 100 medium findings that sit unaddressed for 6 months. Severity distribution without remediation rate attached to it is an incomplete picture.

Tool adoption rate: "All teams are using SAST" is not a security outcome. A SAST deployment where developers have learned to dismiss all findings because the false positive rate is 60% provides no security value regardless of the adoption percentage.

The metrics that matter instead:

• Remediation rate and MTTR (Mean Time to Remediate) by severity
• False positive rate per scanner
• Security defect density in new code vs. existing code (is the program preventing new defects?)
• Escape rate (vulnerabilities found in production that were not caught in the pipeline)
• Developer engagement rate (what percentage of assigned security findings are acted on vs. dismissed or ignored)

DORA (DevOps Research and Assessment) defines four key metrics for software delivery performance. Each has direct security implications that DevSecOps programs should monitor.

Deployment Frequency: How often code is deployed to production. High-performing teams deploy multiple times per day. Security implication: high deployment frequency means security scanning must be fast (under 10 minutes for blocking checks) or it becomes a bottleneck that pressure developers to bypass. If your SAST scan takes 45 minutes, high-frequency deployment teams will disable or bypass it.

Lead Time for Changes: Time from code commit to production deployment. Security implication: if security scanning adds significant lead time, it creates pressure to reduce or eliminate security steps. Measure the security scanning contribution to lead time and target getting security scanning below 5% of total lead time.

Change Failure Rate: Percentage of deployments that cause production failure (requiring rollback or hotfix). Security implication: security-related deployment failures (a security misconfiguration causes an outage, a dependency upgrade breaks an interface) should be tracked separately to understand the security contribution to change failure rate.

Mean Time to Recovery (MTTR for incidents): Time to restore service after a production failure. Security implication: security incidents that cause production outages contribute to MTTR. Track security-caused incidents separately.

The security-specific extension to DORA: Add two security-specific metrics alongside the four DORA metrics:

• Mean Time to Remediate (MTTR for vulnerabilities): Average time from vulnerability discovery to verified fix, segmented by severity (Critical: target less than 7 days; High: less than 30 days; Medium: less than 90 days).
• Escape rate: Percentage of vulnerabilities discovered in production that should have been caught in the pipeline. High escape rate indicates either scanner coverage gaps or finding dismissal problems.

Mean Time to Remediate (MTTR) -- the time from a vulnerability being identified to a verified fix being deployed -- is the single most actionable DevSecOps metric. It answers the question that matters: when we find a problem, how quickly do we fix it?

MTTR by severity tier (industry benchmarks):

The gap between target and industry average is significant. Most organizations are not close to their stated SLAs for vulnerability remediation. Measuring actual MTTR against SLA reveals the gap; the next step is root cause analysis.

Common MTTR failure modes:

• No owner assigned: Findings without a clear responsible engineer sit in a queue indefinitely. Every finding must be assigned to a named owner with accountability.
• Findings not visible in developer workflow: A security dashboard that developers never look at does not drive remediation. Findings must appear in the tools developers use daily -- Jira tickets created automatically, GitHub PR comments, IDE extensions.
• No escalation process: Findings approaching SLA deadline with no remediation action should trigger automatic escalation. Without escalation, SLAs are aspirational rather than enforced.
• High false positive rate: Developers who dismiss findings because 40% are false positives will also dismiss real findings. Measure and reduce false positive rate as a prerequisite to improving MTTR.

Tracking MTTR in practice: Most SAST and vulnerability management platforms (Snyk, Veracode, Checkmarx, GitHub Advanced Security) provide MTTR reporting natively. If your scanners do not, use the Jira ticket creation date (when the finding became a tracked task) as the start time and the ticket resolution date as the end time. This slightly underreports MTTR but is better than not tracking it.

Shift-left security means finding and fixing vulnerabilities earlier in the development lifecycle, where remediation costs less and risk is lower. Measuring whether your shift-left investment is actually shifting findings left is critical to demonstrating program value.

Security defect density by code age: Compare the vulnerability density (findings per 1,000 lines of code, or per component) for code written in the past 6 months versus code written before shift-left controls were deployed. If shift-left is working, new code should have lower defect density than older code. If new code has the same or higher defect density, the shift-left investment (SAST, SCA, developer training) is not producing results.

Pipeline gate effectiveness: For each security control deployed as a pipeline gate (blocking deployment on critical findings), measure:

• Findings caught by the gate per month (decreasing trend over time is good -- developers are fixing issues before they reach the gate)
• False positive rate for the gate (high false positive rate means developers are learning to dismiss gate failures)
• Gate bypass rate (how often is the gate disabled, bypassed, or its findings marked as accepted risk without proper review?)

Developer engagement metrics:

• Percentage of assigned findings fixed vs. marked as accepted risk vs. dismissed
• Average number of findings per developer (declining over time as developer security knowledge improves)
• Time spent per finding (declining over time as fixes become routine for common finding types)

Security champion effectiveness: For programs with security champions (developers in each team with additional security training): compare defect density in teams with active security champions vs. teams without. Security champion programs that are not producing measurable defect density reduction should be revised.

Presenting shift-left effectiveness to engineering leadership: Frame it as developer productivity: "Security issues caught in code review take 30 minutes to fix. The same issue caught in production takes 8 hours of incident response plus 2 hours of emergency patch development. Our shift-left controls prevented 47 such incidents last quarter." Engineering leadership responds to developer time efficiency arguments more than abstract security improvement claims.

Security debt is the accumulated backlog of known vulnerabilities that have not been remediated. Tracking security debt provides a more honest picture of security posture than finding counts, and communicating it effectively to leadership drives remediation investment.

Security debt calculation: Count open findings segmented by severity and age:

Multiply open finding count by risk weight and sum for a total security debt score. Track this score monthly. A rising score indicates debt accumulation faster than remediation; a declining score indicates debt reduction progress.

The security debt aging report: Present open vulnerabilities in a table showing how long each finding has been open past its SLA deadline. A finding that is 200 days past its 30-day High severity SLA has fundamentally different risk than a finding that opened yesterday. The aging report communicates urgency in a way that finding counts alone do not.

Communicating security debt to leadership: Map security debt to business risk: "Our 14 unpatched critical vulnerabilities in internet-facing applications represent a risk of unauthorized data access affecting customer PII. Each day these remain unpatched increases the probability of exploitation based on known attack campaigns against these vulnerability types." This framing connects security debt to business risk rather than abstract compliance with SLAs.

Debt reduction planning: Security debt reduction requires dedicated engineering time -- it does not reduce itself. Negotiate a monthly allocation of engineering time (typically 10-15% for teams with significant security debt) explicitly reserved for security debt reduction. Without a dedicated allocation, feature development will consistently prioritize over security debt remediation.