@jawnsy @maaretp
One of the deep problems with security is that (unlike performance, say) it’s not really directly measurable, except in hindsight. You’re managing •unknown• problems and not just •known• ones.
Thus the best chance of answering the question “How secure is this system?” is to look at systemic factors that create risk (e.g. maintenance process, delivery cadence, tool choices, internal incentives) and not just the specific flaws a security test would uncover.