Practice security pipeline metrics vocabulary: mean time to remediate, vulnerability scan coverage, security debt, false positive rate in SAST, and security gate pass rate language.
0 / 5 completed
1 / 5
What is 'mean time to remediate' (MTTR) in a security context?
Mean time to remediate (security MTTR) measures the average time from vulnerability discovery to confirmed fix. It is a key security programme health metric — a lower MTTR means vulnerabilities spend less time exploitable in production.
2 / 5
A security report says 'we have 23 open ___ findings.' What word fits?
'Critical findings' are the highest severity vulnerabilities — those with exploitable paths, high CVSS scores, or known active exploits. Tracking the count of open critical findings is a standard security KPI.
3 / 5
What is 'vulnerability scan coverage' as a security pipeline metric?
Scan coverage measures how much of the attack surface is actually scanned. 100% coverage means every repository, container image, and IaC template is scanned. Gaps in coverage are blind spots that attackers can exploit.
4 / 5
What is 'security debt' in a DevSecOps context?
Security debt is the security equivalent of technical debt: known vulnerabilities, unpatched dependencies, and architectural weaknesses that accumulate when teams prioritise speed over security. Measuring and reducing security debt is a core DevSecOps objective.
5 / 5
A high 'false positive rate in SAST' is a problem because:
A high false positive rate erodes trust in the security tool. When developers see mostly false alarms, they start dismissing all alerts — including real vulnerabilities. Tuning SAST tools to reduce false positives is critical for DevSecOps adoption.