DevSecOps is security that’s executed by developers and governed by security in a cloud native context. Governance means it’s security's job to make it work well. So, how do you know it’s working? Metrics! But which ones, and where to start? This talk will introduce modern security metrics for governing DevSecOps. The following metrics will be covered so you can start incorporating them into your own programs: ○ Code Coverage ○ Backlog Burndown: ○ Arrival Rates ○ Survival Rates ○ Escapes Rates