The externalization percentage
Objective
Define the externalization percentage and explain what it tells a CISO about a codebase's authorization posture.
Concept
A CISO does not want to read Rego. They want one number that answers: how much of our authorization is still buried in code, and how much has moved out under policy control? Zift's answer is the externalization percentage.
Conceptually it is the share of discovered authorization decisions that have been externalized to policy rather than left embedded in application code:
externalization % = externalized decisions / total discovered decisions
A codebase where every authorization check is an if user.role == ... in a
handler scores near zero: nothing is externalized. A codebase where those checks
have been pulled into Rego and evaluated by a PDP scores high. The metric is
useful precisely because Zift measures both halves. The scan discovers the total
(including the embedded checks nobody remembered), and it knows which of those
have been extracted, so the denominator is honest.
Why a CISO cares:
- It is a trend, not a snapshot. Run Zift in CI and the number moves as teams externalize checks. A rising externalization percentage is evidence that authorization is coming under Define, Enforce, Audit rather than drifting.
- It surfaces the gap. The complement (the un-externalized share) is exactly the embedded authorization that is invisible to audit and unchangeable without a deploy. That is the Authorization Gap, quantified.
- It is comparable across services. One number per service lets a security team prioritize which codebase to assess next.
The metric depends on the scan finding decisions in the first place, which is why
the --deep pass matters: a check the scan never sees is neither in the
numerator nor the denominator, and the percentage would flatter you. Thorough
discovery keeps the metric honest.
Externalization is the point of the assess phase. Zift's job is to make the percentage visible and to give you the extracted Rego that raises it. Governing that Rego, signing and promoting and deploying it, is Writ's job in a later course.
Hands-on lab
No new commands. Reason about the metric against the lab. The document service
had three embedded checks; all three were extracted into
../lab/policy.rego. Describe, in one or two sentences,
what that does to the service's externalization percentage, and what a single
new un-extracted if user.role == "admin" check added to a handler would do to
it on the next scan.
Check for understanding
- Write the externalization percentage as a ratio, in words.
- A team adds three new inline role checks and externalizes none of them. Which way does the externalization percentage move on the next scan, and why?
- Why does skipping the
--deeppass risk making the externalization percentage look better than the codebase's real posture?