Identify the organization's risk appetite


Identify objectives and means of measuring effectiveness of the security program.


Common understanding of your organization's security posture


Understand, based on application risk exposure, what threats exist or may exist, as well as how tolerant executive leadership is of these risks. This understanding is a key component of determining software security assurance priorities. To ascertain these threats, interview business owners and stakeholders and document drivers specific to industries where the organization operates as well as drivers specific to the organization. Gathered information includes worst-case scenarios that could impact the organization, as well as opportunities where an optimized software development lifecycle and more secure applications could provide a market-differentiator or create additional opportunities.

Gathered information provides a baseline for the organization to develop and promote its application security program. Items in the program are prioritized to address threats and opportunities most important to the organization. The baseline is split into several risk factors and drivers linked directly to the organization’s priorities and used to help build a risk profile of each custom-developed application by documenting how they can impact the organization if they are compromised.

The baseline and individual risk factors should be published and made available to application development teams to ensure a more transparent process of creating application risk profiles and incorporating the organization’s priorities into the program. Additionally, these goals should provide a set of objectives which should be used to ensure all application security program enhancements provide direct support of the organization’s current and future needs.

SAMMY guidance
Create a pragmatic document that describes the risks and how tolerant the executive leadership is of these risks. The executive leadership and business owners should vet these risks. Describe worst case scenarios that could impact the organization. Make sure to create awareness of these risks towards the development teams.
View the Sample Risks and Threats Document.
We would recommend using a wiki that supports versioning. Having the wiki accessible via git is very practical for smaller sized firms as you will have an easy way to access and update the wiki. Gitlab, Github both provide an integrated wiki.

Do you understand the enterprise-wide risk appetite for your applications?
  • You capture the risk appetite of your organization's executive leadership
  • The organization's leadership vet and approve the set of risks
  • You identify the main business and technical threats to your assets and data
  • You document risks and store them in an accessible location
Define the security strategy


Establish a unified strategic roadmap for software security within the organization.


Available and agreed upon roadmap of your AppSec program


Based on the magnitude of assets, threats, and risk tolerance, develop a security strategic plan and budget to address business priorities around application security. The plan covers 1 to 3 years and includes milestones consistent with the organization’s business drivers and risks. It provides tactical and strategic initiatives and follows a roadmap that makes its alignment with business priorities and needs visible.

In the roadmap, you reach a balance between changes requiring financial expenditures, changes of processes and procedures, and changes impacting the organization’s culture. This balance helps accomplish multiple milestones concurrently and without overloading or exhausting available resources or development teams. The milestones are frequent enough to help monitor program success and trigger timely roadmap adjustments.

For the program to be successful, the application security team obtains buy-in from the organization’s stakeholders and application development teams. A published plan is available to anyone who is required to support or participate in its implementation.

SAMMY guidance
Create and publish a strategic security plan based on the magnitudes of your assets, threats and risks. The plan should cover a period of 1-3 years and describe the milestones consistent with your organization’s business drivers and risks. Make sure to create and maintain awareness of the plan (e.g., present the plan and progress during staff briefings).
It is likely that your organization will also have a product roadmap planning as well. Aligning the style and the approach of the security roadmap documents to existing product roadmap documents increases reader comprehension and engagement. Especially if (serious) product security work is new to the organization. For the practitioner, this has the added benefit that they can work off a template instead of crafting documents from scratch
View the Sample Strategic Plan.
We would recommend using a wiki that supports versioning. Having the wiki accessible via git is very practical for smaller sized firms as you will have an easy way to access and update the wiki. Gitlab, Github both provide an integrated wiki.

Do you have a strategic plan for application security and use it to make decisions?
  • The plan reflects the organization's business priorities and risk appetite
  • The plan includes measurable milestones and a budget
  • The plan is consistent with the organization's business drivers and risks
  • The plan lays out a roadmap for strategic and tactical initiatives
  • You have buy-in from stakeholders, including development teams
Align security and business strategies


Align security efforts with the relevant organizational indicators and asset values.


Continuous AppSec program alignment with the organization's business goals


You review the application security plan periodically for ongoing applicability and support of the organization’s evolving needs and future growth. To do this, you repeat the steps from the first two maturity levels of this Security Practice at least annually. The goal is for the plan to always support the current and future needs of the organization, which ensures the program is aligned with the business.

In addition to reviewing the business drivers, the organization closely monitors the success of the implementation of each of the roadmap milestones. You evaluate the success of the milestones based on a wide range of criteria, including completeness and efficiency of the implementation, budget considerations, and any cultural impacts or changes resulting from the initiative. You review missed or unsatisfactory milestones and evaluate possible changes to the overall program.

The organization develops dashboards and measurements for management and teams responsible for software development to monitor the implementation of the roadmap. These dashboards are detailed enough to identify individual projects and initiatives and provide a clear understanding of whether the program is successful and aligned with the organization’s needs.

SAMMY guidance
Periodically review and update your strategic plan from Maturity Level 2. Include the lessons learned and publish the information on roadmap activities, making sure they are available to all stakeholders (e.g., by presenting this information during staff briefings).

Do you regularly review and update the Strategic Plan for Application Security?
  • You review and update the plan in response to significant changes in the business environment, the organization, or its risk appetite
  • Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies
  • You adjust the plan and roadmap based on lessons learned from completed roadmap activities
  • You publish progress information on roadmap activities, making sure they are available to all stakeholders