Integrating Security Metrics into Quality Models: A DORA-Aligned Strategy

Since January 2025, financial organizations and the companies that provide information technology services to them in the EU must follow new rules under the Digital Operational Resilience Act, or DORA. These rules are intended to ensure that companies can operate securely and reliably, even if there is a cyberattack or technology failure.

With digital threats becoming more complex and systems more interconnected and interdependent than ever, security is not simply a “nice-to-have” anymore. Security must be built into everything a company does, and DORA resilience regulations aim to ensure this.

To comply with DORA requirements, companies have to stay on top of tech risks, report incidents when they happen, regularly test their defenses, and keep an eye on third-party vendors (which, let’s be honest, is a massive job on its own and probably deserves its own blog post). This means having clear, practical ways to measure and improve security at every step of the software development process.

Security can’t be an afterthought - it needs to be part of every step in how software is planned, built, and maintained. That means baking it into your entire development process, especially if you are following a formal SDLC (which you assuredly should be). While there are plenty of industry standards out there that help define what 'good security' looks like and how to measure it, the bigger picture is about building a repeatable, secure process that aligns with your business goals and keeps improving over time. This is the letter and the spirit of DORA’s regulations.

To align with DORA and build security into the software development lifecycle (SDLC), teams need meaningful, actionable metrics that reflect how well security is embedded at every stage. One foundational metric is vulnerability density — it tracks how many issues are found per 1,000 lines of code, helping teams catch risks early in development. Once issues are identified, time to remediate becomes crucial, showing how quickly vulnerabilities are resolved — something DORA directly emphasizes in its focus on incident response and resilience.

Security testing also plays a major role. Penetration test coverage ensures critical parts of the application are tested during simulated attacks, not just surface-level features. Secure coding compliance tracks whether developers are following safe coding practices, like avoiding injection vulnerabilities or insecure session handling. Related to that, authentication strength reflects how robust login mechanisms are, including things like two-factor authentication. The security test pass rate shows how often the software meets predefined thresholds during testing, highlighting overall security readiness before release.

Beyond development, teams also monitor security incident frequency—a key post-release metric showing how often issues occur in production, which speaks directly to operational resilience. And with software supply chains increasingly targeted, a third-party risk score helps assess the security posture of open-source libraries and vendor components integrated into the product. Together, these metrics give organizations a clear, end-to-end view of application security health, supporting both a strong SDLC and DORA compliance.

How to get there? How does a company make sure that these metrics are met; not only to comply with DORA’s regulations, but to reduce risk in an increasingly threat-crowded environment? Of course, developing and adhering to robust policy is one component of the journey, but ensuring that one’s security controls are up to task is another matter entirely.

DORA addresses this with the concept of threat-led penetration testing (TLPT), which requires that testing uses current threat intelligence to ensure that testing is not simply running down a checklist of best practice or grabbing the most recent update to a static analysis tool. This testing must be carried out by independent, qualified, and experienced vendors. Leviathan Security Group has decades of experience at the forefront of new technologies and methodologies of testing, expert team members, and multiple company-wide and personal certifications, and we are ready to assist you on your DORA journey.

Security isn’t an afterthought - it’s an essential part of delivering quality software in a digital world. In the age of DORA, treating security as a measurable, continuous part of development isn’t just smart - it’s required.