ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Aspect0123Current Rating & Reasons
2
AuditAuditability of the application has not been considered.Key aspects of the system have been identified for auditability, but may require manual data querying.Key aspects of the system have been identified for auditability, and there is an easy / secure way for internal employees to access the audit information.Key aspects of the system are auditable, and there is an easy / secure way to access the records. Records have a retention policy identified, and the archival process is automated. Retrieval of archived records is possible.
3
Availability / ScaleAvailability / Scale of the application has not been considered.Availability and scaling SLAs have been identified, but not yet implemented.Availability SLAs have been created, and are actively monitored. Scaling approaches have been identified.Availability is actively monitored, and application can scale automatically under high demand (or has enough overhead to meet expected peak demand).
4
ComplianceCompliance requirements have not been considered.Compliance research has been done, and possible compliance work has been identified.The app complies with most necessary compliance. Any compliance gaps are documented and exist in work backlog.App is compliant with all all mandatory policies. Process is in place to ensure continued compliance with those policies.
5
Customer DataHow sensitive customer data is handled has not been considered.Sensitive customer data has been identified.Sensitive customer data has been identified, and policies / practices have been implemented to keep it secure.Processes have been documented for what to do if there is a leak of customer data.
6
Data - Backup / RestoreBackup and restore of data has not been considered.Manual backups of data are available in a secure manner.Automated backups are run in production, and a restore process has been documented.Automated backups are available, and the restore process has been documented, and executed in a test environment.
7
Infrastructure - EnvironmentsInfrastructure has not been considered.App is deployable to one or more non-local environment.Application is deployable to production.New environments can be stood up quickly, and in an automated / repeatable fashion.
8
Infrastructure - DeploymentsDeployment has not been considered.App is manually deployable to an environment.App is automatically deployable to production, and a rollback process has been identified and exercised. If a deploy causes downtime or interruptions to end users, these must be documented.App is able to be deployed with zero downtime or interruption to end users.
9
Infrastructure - SecuritySecurity has not been considered.Basic security has been considered, and implemented. (port blocking, IAM role evaluations)Process for continual evaluation of infrastructure security is created, and performed. VMs and libraries are patched in a timely manner if exploits are identified.Automated testing/monitoring of infrastructure level security is implemented.3rd party evaluation of security is routinely done. Software to monitor and alert on intrusions, or exploitable images / libraries is used.
10
ObservabilityObservability of the application has not been considered.System is observable in manual, and tedious ways, such as remote shell sessions. May require logging into a specific environment.System is observable using ancillary tools such as aggregated logging, and it’s easy to search across services and environments.System is observable, and utilizes distributed tracing across services, and includes infrastructure, cloud based services.
11
PerformancePerformance of the application has not been considered.The projected usage of the system has been documented, but no performance / load testing have been completed.A performance / load test has been established, and has been performed.Performance / load testing is part of regression testing. SLAs on performance have been established, and are actively enforced.
12
Performance MonitoringPerformance Monitoring of the application has not been consideredKey performance metrics have been identified, but no way to effectively measure them has been implemented. (or vice versa)Capability exists to monitor performance but key metrics have not been identified.Capability to monitor key metrics exists, and key metrics are captured and available (dashboard / alerting)
13
Quality AssuranceThe quality of the application has not been considered.Basic unit / integration tests exist.
Majority of QA is manually performed by engineers / other employees.		Some QA is automated, mostly happy path flows.
Manual QA is managed by a test case / test suite manager like Test Rail for repeatability.		Regression and key user flows have automated test suites that alert / block deploys on failure.
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100