You may be using the percentage of applications being scanned or the mean time to remediate to track the effectiveness of your application security program, but both of those metrics drive unintended behaviors. Maybe you’ve dabbled with the DORA metrics. This talk will explain why those are bad and provide two alternatives that avoid the pitfalls of those metrics as well as introduce a third metric that is even more important for the success of your DevSecOps cultural transformation.