�ݺ�ߣ

Editor's Notes

• #7: Then in each of these practices, you have three maturity levels or four maturity levels if you take the implicit starting point of maturity level 0 on top of it. If we look at level 1, for example, as we can read here an initial understanding and ad hoc provision of Security Practice. Level 2, increase efficiency and/or effectiveness of the Security Practice. Finally level 3, comprehensive mastery of the Security Practice at scale.
• #8: So how can Open SAMM framework used for benchmarking. If you look here, we can create a blank scorecard with each practice area having 3 levels. One thing we also did here was add another practice area here based on our experience.
• #9: The first thing we fill in are industry best practices. Veracode together with IDG is doing research on the practices. This is a planned program throughout the year, and will continue so that at the end of the year, hopefully have data for all the different practices. The first results will be published for the first two practices, strategy and metrics and policy and compliance on June 25th.
• #10: Next you fill in scores for your own organization. We developed a very simple questionnaire out of OpenSAMM to understand what the different levels the company is in for each practice area. We made it very easy to fill out. The benefit of that is it can be easily adopted, not something that is a two or three-day process.
• #11: Once we have the industry best practices and our own enterprise scoring, creating a prioritized road map to close gaps becomes an easy thing. There is one very important implicit message in this picture, which is it is not the goal that you reach maturity level three in all practices. These maturity levels have not been created just for themselves but to help decision making. It should be very well thought-out where you want to reach maturity level 3, because as we all know, the last 20% of anything is the most expensive to reach, so there should be a good business reason to do that.