Most companies have Intel dashboards of vulnerabilities, which measure and map risk within the company. Companies should publish that data, because only when it is visible can you make the market work and reward companies. Obliging companies to publish security data will make them understand the need to invest, and the consequences of the pollution that happens when you have rented projects with crazy deadlines and inadequate resources, but somehow manage to deliver.
The ability to deliver in such chaotic circumstances is often due to the heroic efforts of developers, who work extremely hard to deliver high quality projects, but get rewarded only by being pushed even more by management. This results in extraordinary vulnerabilities and risks being created and bought by the company. Of course, the company doesn't realize this until the vulnerabilities are exploited.
In agile environments, it's important to provide relative numbers such as:
- Risk issues vs velocity
- Risk issues vs story points
By analyzing these numbers over time, the tipping point, where quality and security are no longer in focus, can become painfully clear.
(from SecDevOps Risk Workflow book, please provide feedback as an GitHub issue)