Software Security Maturity Action Plan (MAP) Datasheet

Clear directions for establishing or maturing your software security program

Our Maturity Action Plan (MAP) is a strategic solution that helps you build a detailed plan and roadmap with a prioritized list of recommendations to enhance your software security program. 

Enhance your ever-changing software security plan

Build, evolve, and maintain your software security initiative

The BSIMM shows you what you’re doing. MAP helps you set objectives, outlines a strategy to get from where you are today to the objectives, and clarifies the resources you’ll need. We’ll work closely with your key stakeholders to understand your organization’s current state, define an achievable future state, and develop a MAP to advance your software security initiative. The plan covers:

  1. People
    to ensure a knowledgeable group of software security practitioners are adequately distributed across all your development teams.
    Training and Awareness so all SSI stakeholders have sufficient skills to execute the evolving tasks associated with their role.
    Attack Intelligence to bring relevant and timely information about attacker actions, security defects, and mitigation techniques into your firm and turn it into actionable guidance for various stakeholders.

  2. Process
    Software Development Life Cycle (SDLC) Gates
    to ensure people and tools include or apply the appropriate software security controls in each software project. 
    Open Source Management so all open source software used in the firm’s portfolio is known, tracked, maintained, tested, and used in accordance with SSI policies and standards.
    Risk and Compliance to enable subject matter experts to periodically determine the risk posture and compliance status of all software in the SSI.
    Policy and Standards so appropriate roles maintain complete and current documentation on mandatory actions, events, and characteristics applicable to all the people, process, and technology in the SSI and its application portfolio.
    Metrics to ensure all SSI processes are appropriately instrumented, that measurement data become valuable metrics, and that metrics are distributed to everyone who requires them for decision-making.
    Vendor Management to prevent software acquired from 3rd-parties from unacceptably increasing the firm’s software security risk and to ensure the appropriate allocation of software security responsibility.

  3. Verification
    To ensure sufficient portfolio breadth, technical depth, and tailored reporting, we utilize the following:
    Penetration Testing, which finds exploitable defects through manual and automated white box and black box testing.
    Architecture and Design Review, which uncovers exploitable defects in software architecture through manual white box analysis.
    Secure Code Review, which identifies exploitable defects through manual code review and automated static analysis.
    Quality Assurance, which finds functional defects and exploitable defects through manual and automated testing.

A MAP engagement usually follows a BSIMM. We incorporate the knowledge gained from the BSIMM to develop an even richer maturity plan.

We have the expertise, tools, and services you need

Take advantage of our 20+ years of experience implementing successful software security initiatives. Once your MAP is developed, we can help you socialize it to get the buy-in, resources, and support you need to implement it.