ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
OrderDomainPracticeActivity IDActivity NameObservationsPercentPerformedMaturity (0 - 3)CoverageOwnerEvidenceNotes
2
1GovernanceStrategy & MetricsSM1.1Publish process and evolve as necessary.8475.7%Yes1
3
2GovernanceStrategy & MetricsSM1.3Educate executives on software security.6659.5%No0
4
3GovernanceStrategy & MetricsSM1.4Implement security checkpoints and associated governance.10090.1%Yes3
5
4GovernanceStrategy & MetricsSM1.7Enforce security checkpoints and track exceptions.7164.0%Yes2
6
5GovernanceStrategy & MetricsSM2.1Publish data about software security internally and use it to drive change.5448.7%No0
7
6GovernanceStrategy & MetricsSM2.3Create or grow a security champions program.5549.6%
8
7GovernanceStrategy & MetricsSM2.6Require security sign-off prior to software release.6255.9%
9
8GovernanceStrategy & MetricsSM2.7Create evangelism role and perform internal marketing.4944.1%
10
9GovernanceStrategy & MetricsSM3.1Use a software asset tracking application with portfolio view.3127.9%
11
10GovernanceStrategy & MetricsSM3.2Make SSI efforts part of external marketing.2522.5%
12
11GovernanceStrategy & MetricsSM3.3Identify metrics and use them to drive resourcing.3027.0%
13
12GovernanceStrategy & MetricsSM3.4Integrate software-defined lifecycle governance.98.1%
14
13GovernanceStrategy & MetricsSM3.5Integrate software supply chain risk management.54.5%
15
14GovernanceCompliance & PolicyCP1.1Unify regulatory pressures.8879.3%
16
15GovernanceCompliance & PolicyCP1.2Identify privacy obligations.9484.7%
17
16GovernanceCompliance & PolicyCP1.3Create policy.9282.9%
18
17GovernanceCompliance & PolicyCP2.1Build a PII inventory.4641.4%
19
18GovernanceCompliance & PolicyCP2.2Require security sign-off for compliance-related risk.5650.5%
20
19GovernanceCompliance & PolicyCP2.3Implement and track controls for compliance.6356.8%
21
20GovernanceCompliance & PolicyCP2.4Include software security SLAs in all vendor contracts.6155.0%
22
21GovernanceCompliance & PolicyCP2.5Ensure executive awareness of compliance and privacy obligations.6861.3%
23
22GovernanceCompliance & PolicyCP3.1Document a software compliance story.4036.0%
24
23GovernanceCompliance & PolicyCP3.2Ensure compatible vendor policies.4136.9%
25
24GovernanceCompliance & PolicyCP3.3Drive feedback from software lifecycle data back to policy.1513.5%
26
25GovernanceTrainingT1.1Conduct software security awareness training.6155.0%
27
26GovernanceTrainingT1.7Deliver on-demand individual training.6155.0%
28
27GovernanceTrainingT1.8Include security resources in onboarding.5246.9%
29
28GovernanceTrainingT2.5Enhance security champions through training and events.3027.0%
30
29GovernanceTrainingT2.8Create and use material specific to company history.2522.5%
31
30GovernanceTrainingT2.9Deliver role-specific advanced curriculum.3027.0%
32
31GovernanceTrainingT2.10Host software security events.2118.9%
33
32GovernanceTrainingT2.11Require an annual refresher.3027.0%
34
33GovernanceTrainingT2.12Provide expertise via open collaboration channels.4540.5%
35
34GovernanceTrainingT3.1Reward progression through curriculum.87.2%
36
35GovernanceTrainingT3.2Provide training for vendors and outsourced workers.2118.9%
37
36GovernanceTrainingT3.6Identify new security champions through observation.87.2%
38
37IntelligenceAttack ModelsAM1.2Use a data classification scheme for software inventory.5751.4%
39
38IntelligenceAttack ModelsAM1.3Identify potential attackers.4439.6%
40
39IntelligenceAttack ModelsAM1.5Gather and use attack intelligence.7870.3%
41
40IntelligenceAttack ModelsAM2.1Build attack patterns and abuse cases tied to potential attackers.2018.0%
42
41IntelligenceAttack ModelsAM2.6Collect and publish attack stories.1614.4%
43
42IntelligenceAttack ModelsAM2.7Build an internal forum to discuss attacks.1816.2%
44
43IntelligenceAttack ModelsAM2.8Have a research group that develops new attack methods.2623.4%
45
44IntelligenceAttack ModelsAM2.9Monitor automated asset creation.2219.8%
46
45IntelligenceAttack ModelsAM3.2Create and use automation to mimic attackers.54.5%
47
46IntelligenceAttack ModelsAM3.4Create technology-specific attack patterns.98.1%
48
47IntelligenceAttack ModelsAM3.5Maintain and use a top N possible attacks list.1210.8%
49
48Intelligence
Security Features & Design
SFD1.1Integrate and deliver security features.8576.6%
50
49Intelligence
Security Features & Design
SFD1.2Application architecture teams engage with the SSG.7769.4%
51
50Intelligence
Security Features & Design
SFD2.1Leverage secure-by-design components and services.4439.6%
52
51Intelligence
Security Features & Design
SFD2.2Create capability to solve difficult design problems.6255.9%
53
52Intelligence
Security Features & Design
SFD3.1Form a review board to approve and maintain secure design patterns.1614.4%
54
53Intelligence
Security Features & Design
SFD3.2Require use of approved security features and frameworks.2219.8%
55
54Intelligence
Security Features & Design
SFD3.3Find and publish secure design patterns from the organization.119.9%
56
55Intelligence
Standards & Requirements
SR1.1Create security standards.8273.9%
57
56Intelligence
Standards & Requirements
SR1.2Create a security portal.8879.3%
58
57Intelligence
Standards & Requirements
SR1.3Translate compliance constraints to requirements.7769.4%
59
58Intelligence
Standards & Requirements
SR1.5Identify open source.8879.3%
60
59Intelligence
Standards & Requirements
SR2.2Create a standards review process.6558.6%
61
60Intelligence
Standards & Requirements
SR2.5Create SLA boilerplate.6255.9%
62
61Intelligence
Standards & Requirements
SR2.7Control open source risk.5347.8%
63
62Intelligence
Standards & Requirements
SR3.2Communicate standards to vendors.1715.3%
64
63Intelligence
Standards & Requirements
SR3.3Use secure coding standards.1917.1%
65
64Intelligence
Standards & Requirements
SR3.4Create standards for technology stacks.2623.4%
66
65Intelligence
Standards & Requirements
SR3.5Create standards controlling and guiding the adoption of new technologies.21.8%
67
66SSDL TouchpointsArchitecture AnalysisAA1.1Perform security feature review.8980.2%
68
67SSDL TouchpointsArchitecture AnalysisAA1.2Perform design review for high-risk applications.5146.0%
69
68SSDL TouchpointsArchitecture AnalysisAA1.4Use a risk methodology to rank applications.5751.4%
70
69SSDL TouchpointsArchitecture AnalysisAA2.1Perform architecture analysis using a defined process.3531.5%
71
70SSDL TouchpointsArchitecture AnalysisAA2.2Standardize architectural descriptions.3834.2%
72
71SSDL TouchpointsArchitecture AnalysisAA2.4Have SSG lead design review efforts.3632.4%
73
72SSDL TouchpointsArchitecture AnalysisAA3.1Have engineering teams lead AA process.1715.3%
74
73SSDL TouchpointsArchitecture AnalysisAA3.2Drive analysis results into standard design patterns.76.3%
75
74SSDL TouchpointsArchitecture AnalysisAA3.3Make the SSG available as an AA resource or mentor.1412.6%
76
75SSDL TouchpointsCode ReviewCR1.2Perform opportunistic code review.7567.6%
77
76SSDL TouchpointsCode ReviewCR1.4Use automated code review tools.9585.6%
78
77SSDL TouchpointsCode ReviewCR1.5Make code review mandatory for all projects.7466.7%
79
78SSDL TouchpointsCode ReviewCR1.7Assign code review tool mentors.4742.3%
80
79SSDL TouchpointsCode ReviewCR2.6Use custom rules with automated code review tools.2926.1%
81
80SSDL TouchpointsCode ReviewCR2.7Use a top N bugs list (real data preferred).1917.1%
82
81SSDL TouchpointsCode ReviewCR2.8Use centralized defect reporting to close the knowledge loop.2825.2%
83
82SSDL TouchpointsCode ReviewCR3.2Build a capability to combine AST results.1816.2%
84
83SSDL TouchpointsCode ReviewCR3.3Create capability to eradicate bugs.87.2%
85
84SSDL TouchpointsCode ReviewCR3.4Automate malicious code detection.32.7%
86
85SSDL TouchpointsCode ReviewCR3.5Enforce secure coding standards.43.6%
87
86SSDL TouchpointsSecurity TestingST1.1Perform edge/boundary value condition testing during QA.9383.8%
88
87SSDL TouchpointsSecurity TestingST1.3Drive tests with security requirements and security features.6659.5%
89
88SSDL TouchpointsSecurity TestingST1.4Integrate opaque-box security tools into the QA process.4742.3%
90
89SSDL TouchpointsSecurity TestingST2.4Drive QA tests with AST results.2018.0%
91
90SSDL TouchpointsSecurity TestingST2.5Include security tests in QA automation.3027.0%
92
91SSDL TouchpointsSecurity TestingST2.6Perform fuzz testing customized to application APIs.2825.2%
93
92SSDL TouchpointsSecurity TestingST3.3Drive tests with design review results.1513.5%
94
93SSDL TouchpointsSecurity TestingST3.4Leverage code coverage analysis.65.4%
95
94SSDL TouchpointsSecurity TestingST3.5Begin to build and apply adversarial security tests (abuse cases).98.1%
96
95SSDL TouchpointsSecurity TestingST3.6Implement event-driven security testing in automation.109.0%
97
96DeploymentPenetration TestingPT1.1Use external penetration testers to find problems.9585.6%
98
97DeploymentPenetration TestingPT1.2Feed results to the defect management and mitigation system.8778.4%
99
98DeploymentPenetration TestingPT1.3Use penetration testing tools internally.6760.4%
100
99DeploymentPenetration TestingPT2.2Penetration testers use all available information.4036.0%