ABSTRACT
Security needs to be considered during the coding process, choosing known and stable libraries from a framework. The use of a framework solves a lot of problems with the development of code, as long as the engineering organization keeps their frameworks updated. An organization that was beginning to have strategy and metrics would, identify organizational drivers as related to risk tolerance and define metrics with insight into the effectiveness and efficiency of the application security part of the information security program. A mature organization would align the application security program to support the organization’s growth and influence the strategy based on the metrics and organization’s needs. The good parts of the model are that it is process driven, supports the complete software development life cycle, and is agnostic regarding technology and process.
