AppSec isn’t easy. So many different perspectives. In a Micro-Service architecture, systems become polyglot. Go, Rust, Java, Kotlin, JavaScript… data, data, data...
In Compliance-focused security programs, handling so much data is a problem. What is good enough - how do you set a baseline?
Minimum Viable Secure Product baseline
Implementing a score for Dependabot and CodeQL
def set_score(severity_df: pd.Series):
"""
Helper function to claclulate the score metrics
:param severity_df: DataFrame object with statistics based on GH Sec issues
:return: malus (how much to deduct from the optimal start value)
"""
malus = 0
for key, value in severity_df.iteritems():
key = str(key).lower()
# this requires python 3.10
match key:
case "critical":
malus = malus + 4 * value
case "high":
malus = malus + 3 * value
case "moderate":
malus = malus + 2 * value
case "medium":
malus = malus + 2 * value
case "low":
malus = malus + 1 * value
case _:
sys.exit("Unknown key:" + key)
return malus