Identify the organization's risk appetite
- You capture the risk appetite of your organization's executive leadership
- The organization's leadership vet and approve the set of risks
- You identify the main business and technical threats to your assets and data
- You document risks and store them in an accessible location
Objective
Identify objectives and means of measuring effectiveness of the security program.
Benefit
Common understanding of your organization's security posture
Activity
Understand, based on application risk exposure, what threats exist or may exist, as well as how tolerant executive leadership is of these risks. This understanding is a key component of determining software security assurance priorities. To ascertain these threats, interview business owners and stakeholders and document drivers specific to industries where the organization operates as well as drivers specific to the organization. Gathered information includes worst-case scenarios that could impact the organization, as well as opportunities where an optimized software development lifecycle and more secure applications could provide a market-differentiator or create additional opportunities.
Gathered information provides a baseline for the organization to develop and promote its application security program. Items in the program are prioritized to address threats and opportunities most important to the organization. The baseline is split into several risk factors and drivers linked directly to the organization’s priorities and used to help build a risk profile of each custom-developed application by documenting how they can impact the organization if they are compromised.
The baseline and individual risk factors should be published and made available to application development teams to ensure a more transparent process of creating application risk profiles and incorporating the organization’s priorities into the program. Additionally, these goals should provide a set of objectives which should be used to ensure all application security program enhancements provide direct support of the organization’s current and future needs.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
OWASP DSOMM
DSOMM is a complementary framework to SAMM focused on DevSecOps.
The DevSecOps Maturity Model (DSOMM), shows security measures which are applied when using DevOps strategies and how these can be prioritized. With the help of DevOps strategies security can also be enhanced.
Community guidance
This guidance is based on the approved community submissions.
Sample Risks and Threat Document
The sample risks and threat document provides a starting point for level 1 maturity.
Create a pragmatic document that describes the risks and how tolerant the executive leadership is of these risks. The executive leadership and business owners should vet these risks. Describe worst case scenarios that could impact the organization. Make sure to create awareness of these risks towards the development teams.
View the Sample Risks and Threats Document.
We would recommend using a wiki that supports versioning. Having the wiki accessible via git is very practical for smaller sized firms as you will have an easy way to access and update the wiki. Gitlab, Github both provide an integrated wiki.
Define the security strategy
- The plan reflects the organization's business priorities and risk appetite
- The plan includes measurable milestones and a budget
- The plan is consistent with the organization's business drivers and risks
- The plan lays out a roadmap for strategic and tactical initiatives
- You have buy-in from stakeholders, including development teams
Objective
Establish a unified strategic roadmap for software security within the organization.
Benefit
Available and agreed upon roadmap of your AppSec program
Activity
Based on the magnitude of assets, threats, and risk tolerance, develop a security strategic plan and budget to address business priorities around application security. The plan covers 1 to 3 years and includes milestones consistent with the organization’s business drivers and risks. It provides tactical and strategic initiatives and follows a roadmap that makes its alignment with business priorities and needs visible.
In the roadmap, you reach a balance between changes requiring financial expenditures, changes of processes and procedures, and changes impacting the organization’s culture. This balance helps accomplish multiple milestones concurrently and without overloading or exhausting available resources or development teams. The milestones are frequent enough to help monitor program success and trigger timely roadmap adjustments.
For the program to be successful, the application security team obtains buy-in from the organization’s stakeholders and application development teams. A published plan is available to anyone who is required to support or participate in its implementation.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
OWASP DSOMM
DSOMM is a complementary framework to SAMM focused on DevSecOps.
The DevSecOps Maturity Model (DSOMM), shows security measures which are applied when using DevOps strategies and how these can be prioritized. With the help of DevOps strategies security can also be enhanced.
Community guidance
This guidance is based on the approved community submissions.
Sample Strategic Plan for a Small Product Firm
We provide a sample strategic plan that is a requirement for this maturity level.
Create and publish a strategic security plan based on the magnitudes of your assets, threats and risks. The plan should cover a period of 1-3 years and describe the milestones consistent with your organization’s business drivers and risks. Make sure to create and maintain awareness of the plan (e.g., present the plan and progress during staff briefings).
It is likely that your organization will also have a product roadmap planning as well. Aligning the style and the approach of the security roadmap documents to existing product roadmap documents increases reader comprehension and engagement. Especially if (serious) product security work is new to the organization. For the practitioner, this has the added benefit that they can work off a template instead of crafting documents from scratch
View the Sample Strategic Plan.
We would recommend using a wiki that supports versioning. Having the wiki accessible via git is very practical for smaller sized firms as you will have an easy way to access and update the wiki. Gitlab, Github both provide an integrated wiki.
Align with product roadmap design
It's pragmatic advice
Organizations at this level will often have product roadmap planning too.
Aligning the style and approach of the security roadmap documents to existing product roadmap documents increases reader comprehension and engagement. Especially if (serious) product security work is new to the organization.
For the practitioner, this has the added benefit that they can work off a template instead of crafting documents from scratch
Align security and business strategies
- You review and update the plan in response to significant changes in the business environment, the organization, or its risk appetite
- Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies
- You adjust the plan and roadmap based on lessons learned from completed roadmap activities
- You publish progress information on roadmap activities, making sure they are available to all stakeholders
Objective
Align security efforts with the relevant organizational indicators and asset values.
Benefit
Continuous AppSec program alignment with the organization's business goals
Activity
You review the application security plan periodically for ongoing applicability and support of the organization’s evolving needs and future growth. To do this, you repeat the steps from the first two maturity levels of this Security Practice at least annually. The goal is for the plan to always support the current and future needs of the organization, which ensures the program is aligned with the business.
In addition to reviewing the business drivers, the organization closely monitors the success of the implementation of each of the roadmap milestones. You evaluate the success of the milestones based on a wide range of criteria, including completeness and efficiency of the implementation, budget considerations, and any cultural impacts or changes resulting from the initiative. You review missed or unsatisfactory milestones and evaluate possible changes to the overall program.
The organization develops dashboards and measurements for management and teams responsible for software development to monitor the implementation of the roadmap. These dashboards are detailed enough to identify individual projects and initiatives and provide a clear understanding of whether the program is successful and aligned with the organization’s needs.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
OWASP DSOMM
DSOMM is a complementary framework to SAMM focused on DevSecOps.
The DevSecOps Maturity Model (DSOMM), shows security measures which are applied when using DevOps strategies and how these can be prioritized. With the help of DevOps strategies security can also be enhanced.
Community guidance
This guidance is based on the approved community submissions.