You are filling out SAMM in browser-mode. Sign in to get access to the full-fledged version of SAMMY.
L1: Do you understand the enterprise-wide risk appetite for your applications ?
  • You capture the risk appetite of your organization's executive leadership
  • The organization's leadership vet and approve the set of risks
  • You identify the main business and technical threats to your assets and data
  • You document risks and store them in an accessible location

L2: Do you have a strategic plan for application security and use it to make decisions?
  • The plan reflects the organization's business priorities and risk appetite
  • The plan includes measurable milestones and a budget
  • The plan is consistent with the organization's business drivers and risks
  • The plan lays out a roadmap for strategic and tactical initiatives
  • You have buy-in from stakeholders, including development teams

L3: Do you regularly review and update the Strategic Plan for Application Security?
  • You review and update the plan in response to significant changes in the business environment, the organization, or its risk appetite
  • Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies
  • You adjust the plan and roadmap based on lessons learned from completed roadmap activities
  • You publish progress information on roadmap activities, making sure they are available to all stakeholders