Business applications are vital for the successful functioning of any organization. Therefore, managing their information security risks are just as important as the business itself. If I ask about different measures you take to ensure security of your applications, you might reply with few initiatives such as periodic secure code reviews, external scans, vulnerability assessments & penetration testings and perhaps audits etc. But what If I asked how mature is your program?
One way to answer that would be to compare your program with the industry practice and identify relative position of your organization. For example, if the industry benchmark is 2 (out of 3) and you are at 0.05, then there are many things that need your immediate attention.
So how do I measure vis-à-vis industry?
The answer to that would be finding the relevant maturity model. Although there are many models , I personally find BSIMM (Building Security In Maturity Model) very useful. It can be used as a measuring stick for software security. The model has 4 security domains broken into 12 security practice areas which are further subdivided into additional 3 levels emerging over 100 activities that can be leveraged to compare as well as improve the program. The most interesting part of this model is that there are over 120 participating firms across various industries sharing their approach of application security.
Start off by doing the gap assessment of against BSIMM. Then pick the relevant industry benchmark and plot your practice against it through the spider chart (or anything similar) as below. This will help in visualization of your program's maturity.
Obviously, it is not feasible to take all the initiatives so depending on your business requirements, you can choose which initiative to take as not every organization can afford to invest in all of them. Below are the most common ones that all the participating companies are using:
Please share your experiences and suggestions with BSIMM or any other model that you may have used.
SSDL stands for Secure Software Development Life-cycle
SSF, SSG, SSI stands for Software Security Framework, Software Security Group and Software Security Initiative respectively
PII stands for Personally Identifiable Information that you need to protect