How mature is your Application Security Program?

Business applications are vital for the successful functioning of any organization. Therefore, managing their information security risks are just as important as the business itself. If I ask about different measures you take to ensure security of your applications, you might reply with few initiatives such as periodic secure code reviews, external scans, vulnerability assessments & penetration testings and perhaps audits etc. But what If I asked how mature is your program?

One way to answer that would be to compare your program with the industry practice and identify relative position of your organization. For example, if the industry benchmark is 2 (out of 3) and you are at 0.05, then there are many things that need your immediate attention.

So how do I measure vis-à-vis industry?

No alt text provided for this image

The answer to that would be finding the relevant maturity model. Although there are many models , I personally find BSIMM (Building Security In Maturity Model) very useful. It can be used as a measuring stick for software security. The model has 4 security domains broken into 12 security practice areas which are further subdivided into additional 3 levels emerging over 100 activities that can be leveraged to compare as well as improve the program. The most interesting part of this model is that there are over 120 participating firms across various industries sharing their approach of application security.

Start off by doing the gap assessment of against BSIMM. Then pick the relevant industry benchmark and plot your practice against it through the spider chart (or anything similar) as below. This will help in visualization of your program's maturity.

No alt text provided for this image

Obviously, it is not feasible to take all the initiatives so depending on your business requirements, you can choose which initiative to take as not every organization can afford to invest in all of them. Below are the most common ones that all the participating companies are using:

No alt text provided for this image

Please share your experiences and suggestions with BSIMM or any other model that you may have used.


SSDL stands for Secure Software Development Life-cycle

SSF, SSG, SSI stands for Software Security Framework, Software Security Group and Software Security Initiative respectively

PII stands for Personally Identifiable Information that you need to protect

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Fireside Chat - Lessons Learnt From The Solarwinds Attack

  • Description:
    Meet Sudhakar Ramakrishna, CEO of @SolarWinds to discuss ‘Lessons Learnt From The SolarWinds Attack’.
    The ‘SolarWinds hack’, a cyberattack recently discovered in the United States, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.
    Here’s an exclusive live chat with the CEO to understand what went wrong, what to prevent and lessons learnt. Join us in the live session (Limited Seats)…
  • Created by: pritha
  • Tags: solarwindshack, ceo