Model | Governance | Strategy & Metrics | Create and Promote
Benefit
Common understanding of your organization’s security posture
Activity
Understand, based on application risk exposure, what threats exist or may exist, as well as how tolerant executive leadership is of these risks. This understanding is a key component of determining software security assurance priorities. To ascertain these threats, interview business owners and stakeholders and document drivers specific to industries where the organization operates as well as drivers specific to the organization. Gathered information includes worst-case scenarios that could impact the organization, as well as opportunities where an optimized software development lifecycle and more secure applications could provide a market-differentiator or create additional opportunities.
Gathered information provides a baseline for the organization to develop and promote its application security program. Items in the program are prioritized to address threats and opportunities most important to the organization. The baseline is split into several risk factors and drivers linked directly to the organization’s priorities and used to help build a risk profile of each custom-developed application by documenting how they can impact the organization if they are compromised.
The baseline and individual risk factors should be published and made available to application development teams to ensure a more transparent process of creating application risk profiles and incorporating the organization’s priorities into the program. Additionally, these goals should provide a set of objectives which should be used to ensure all application security program enhancements provide direct support of the organization’s current and future needs.
Question
Do you understand the enterprise-wide risk appetite for your applications?
Quality criteria
| You capture the risk appetite of your organization's executive leadership |
| The organization's leadership vet and approve the set of risks |
| You identify the main business and technical threats to your assets and data |
| You document risks and store them in an accessible location |
Answers
| No |
| Yes, it covers general risks |
| Yes, it covers organization-specific risks |
| Yes, it covers risks and opportunities |
Benefit
Available and agreed upon roadmap of your AppSec program
Activity
Based on the magnitude of assets, threats, and risk tolerance, develop a security strategic plan and budget to address business priorities around application security. The plan covers 1 to 3 years and includes milestones consistent with the organization’s business drivers and risks. It provides tactical and strategic initiatives and follows a roadmap that makes its alignment with business priorities and needs visible.
In the roadmap, you reach a balance between changes requiring financial expenditures, changes of processes and procedures, and changes impacting the organization’s culture. This balance helps accomplish multiple milestones concurrently and without overloading or exhausting available resources or development teams. The milestones are frequent enough to help monitor program success and trigger timely roadmap adjustments.
For the program to be successful, the application security team obtains buy-in from the organization’s stakeholders and application development teams. A published plan is available to anyone who is required to support or participate in its implementation.
Question
Do you have a strategic plan for application security and use it to make decisions?
Quality criteria
| The plan reflects the organization's business priorities and risk appetite |
| The plan includes measurable milestones and a budget |
| The plan is consistent with the organization's business drivers and risks |
| The plan lays out a roadmap for strategic and tactical initiatives |
| You have buy-in from stakeholders, including development teams |
Answers
| No |
| Yes, we review it annually |
| Yes, we consult the plan before making significant decisions |
| Yes, we consult the plan often, and it is aligned with our application security strategy |
Benefit
Continuous AppSec program alignment with the organization’s business goals
Activity
You review the application security plan periodically for ongoing applicability and support of the organization’s evolving needs and future growth. To do this, you repeat the steps from the first two maturity levels of this Security Practice at least annually. The goal is for the plan to always support the current and future needs of the organization, which ensures the program is aligned with the business.
In addition to reviewing the business drivers, the organization closely monitors the success of the implementation of each of the roadmap milestones. You evaluate the success of the milestones based on a wide range of criteria, including completeness and efficiency of the implementation, budget considerations, and any cultural impacts or changes resulting from the initiative. You review missed or unsatisfactory milestones and evaluate possible changes to the overall program.
The organization develops dashboards and measurements for management and teams responsible for software development to monitor the implementation of the roadmap. These dashboards are detailed enough to identify individual projects and initiatives and provide a clear understanding of whether the program is successful and aligned with the organization’s needs.
Question
Do you regularly review and update the Strategic Plan for Application Security?
Quality criteria
| You review and update the plan in response to significant changes in the business environment, the organization, or its risk appetite |
| Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies |
| You adjust the plan and roadmap based on lessons learned from completed roadmap activities |
| You publish progress information on roadmap activities, making sure they are available to all stakeholders |
Answers
| No |
| Yes, but review is ad-hoc |
| Yes, we review it at regular times |
| Yes, we review it at least annually |
Stream Guidance
- SAMM team guidance Google Doc
- Community guidance Google Doc
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.