Nobody likes the idea of spinning their wheels.  

Unfortunately, that’s what happens with organizations when they are faced with the barrage of information on what tools to use, what vulnerabilities need the most attention, and find themselves in a web of unstructured processes that keep them from moving forward. 

What good are the best AppSec tools, if you don’t have the right strategy, processes, and implementation in place to use the tools efficiently and effectively?  

This is why understanding your AppSec program’s maturity matters.  

You don’t know what you don’t know. If tools are not being used consistently, effectively, or at all, AppSec programs can fall into a dangerous pattern of working on the least critical aspects, while unknowingly creating larger blind spots and issues in the future.  

The more maturity an AppSec program has, the more continuously those programs build in security throughout their software development lifecycle (SDLC). The problem is, it’s difficult to keep all the moving parts working in tandem. Each tool used must be used consistently, and effectively, to remediate confirmed vulnerabilities, protect critical assets, and keep stakeholders in the loop of timelines and risk. A more mature AppSec program signifies a proactive, rather than reactive, stance to security. A mature organization doesn’t merely respond to threats; it anticipates and mitigates them, significantly reducing the window of opportunity for malicious users. This forward-thinking approach saves valuable time and resources, while safeguarding business continuity.   

The limitations of alternative AppSec maturity models 

Maturity models in AppSec and DevSecOps are not new. There are existing frameworks, however, they are not without their downsides. 

1. Information overload: Some assessments can be overwhelming for someone who just wants to get a high-level overview of the current situation and get an indication of where to get started. It can be difficult for AppSec managers to have to go into a great level of detail before they have the chance to make improvements to their current SDLC. Many of these assessments can take several days or even a week.  

2. Long and tedious timelines: Some existing models have too many results for the user, which might lead them to lose sight of what their immediate priority should be. Furthermore, these models tend to lead users far into the future typically building a detailed plan for 4 or 5 phases ahead of where they currently are. While looking into the future is great, these methodologies don’t work in modern development organizations. Because of constantly changing environment organizations have adapted to invest in only the right amount of planning: make detailed plans in the short term and longer-term plans only at a high level – this is aligned with enterprise Agile frameworks such as the Scaled Agile Framework (SAFe). 

3. Stakeholder concerns: SDLCs and AppSec programs have many different stakeholders. Each stakeholder has different responsibilities, and perspectives, on the overarching process and outcome. Developers are often focused on meeting their objectives, which means security can fall off their priority list since their focus is on getting the required functionality in place. However, to other stakeholders such as CISOs or AppSec managers, the software development organization should also be aware and manage application risks. Depending on the type of software, these risks can be substantial. Existing frameworks typically focus on one of these perspectives. For example, some other frameworks are focused on the management perspective, while others are focused on the developer perspective.  

So, how do we address these challenges, while still trying to give users a way to understand their AppSec maturity? Checkmarx developed the AppSec Program Methodology and Assessment™ (APMA) methodology – it takes a simpler, more pragmatic, and more agile, approach. 

How is the AppSec Program Methodology and Assessment (APMA) different? 

We introduced the AppSec Program Methodology and Assessment (APMA) methodology in a previous blog post. APMA is different in that it has a low barrier to entry, does not require a long planning horizon, and takes all stakeholders’ perspectives into consideration. It still has the benefit of a maturity model, in that it gives you a baseline of a current state as a starting point for improvements that help you see the progress you’re making, and how you quickly bite off chunks of the backlog to the reach desired state. 

How does it work and how does it differ from other application security methodologies? 

The steps of the full methodology are:   

1. Identifying gaps by speaking with your Checkmarx expert to get an overview of the current situation.  

2. Agreeing on a target or desired state, considering your goals and AppSec best practices. 

3. Working in short iterations with a few actions (sprints) to gradually close the gap and reach the desired state.  

With the APMA Premium Assessment, you will work with one of our AppSec advisors. The interview process is short – taking on average 1-2 hours. Based on the interview, our AppSec advisors will create an assessment report and come to an agreed plan. This report includes the recommended actions for the next sprint and a preview of the following sprint. It also includes an overview of the backlog of actions to reach the desired state. 

Another AMPA offering is the Comprehensive Assessment. This is an assessment where stakeholders from different functions are interviewed. The purpose of this is to break down organizational siloes and bring in multiple perspectives. This allows organizations to notice the differences in perceptions of the AppSec program, and gaps in communication, which can then be addressed in the APMA report following the assessment. 

Introducing APMA Digital – Try it for Free! 

In addition to the premium and comprehensive assessment, we are excited to introduce APMA Digital, a free and fully automated way to receive an APMA assessment that will give you actionable recommendations within minutes. 

And, best of all, this is open to everyone – whether you are a Checkmarx user or not – at no cost and the results are available within minutes. Get started now. 

In just 15 minutes, you can start your path to AppSec maturity. 

What’s involved? 

• A short self-service questionnaire with just a few quick questions. 

• Get an automatically generated report analyzing your AppSec posture and recommended areas of improvement for your next sprint. 
• Take the results and start improving your AppSec maturity. 

Field-proven with the world’s leading enterprises 

We recently completed our 100th APMA premium assessment. The largest enterprises have seen significant value from these assessments.  For example, a market-leading digital travel platform provider said: “The thorough examination of various aspects of our processes, along with identifying potential bottlenecks and inefficiencies, has given us a clear roadmap. With this newfound understanding, we can prioritize our efforts and allocate resources more effectively, enhancing our overall performance.” Or Christophe Piquet, AppSec Manager at Cdiscount  said “The APMA methodology elevated the discussion to the overall spectrum of an AppSec program and zoomed out from the day-to-day discussion that usually is driven by a tactical or operational issues to fix.”  

15 minutes to start your path to AppSec maturity 

Are you ready to find and focus on the most critical issues, maximize your return on investment into AppSec, and increase developer buy-in? Investing in AppSec maturity isn't just about reducing risk and preventing business-critical incidents. It's about fostering a culture of security within the organization, ensuring compliance, preserving brand reputation, and instilling confidence with internal and external stakeholders around your commitment to AppSec. 

All it takes is 15 minutes, and you’ll have an idea of where you can take immediate action to help your AppSec program become more efficient and impactful, and your organization more secure. Take the first step now and perform a self-assessment and get an APMA report within minutes here! 

Carsten Huth

Carsten has specialized on application security for over 12 years. He joined Checkmarx in 2016, initially as the first Technical Account Manager (TAM) supporting Checkmarx’s strategic and large accounts. With growing demand Carsten built and managed the TAM team in EMEA over the following years. Furthermore, in 2019, Carsten started building the AppSec advisory practice at Checkmarx, at the beginning in parallel to his responsibility as TAM team leader. He is now fully focussed on AppSec advisory and is managing the practice globally as the head of AppSec Advisory. Prior to joining Checkmarx Carsten was the EMEA practice principal for professional services at HP/Fortify and prior to that worked for several years as a software security consultant implementing AppSec solutions in EMEA and beyond. In the AppSec community, Carsten has co-authored the OWASP SAMM/OpenSAMM standard and presented at various application security conferences. Carsten is certified as CSSLP, CISSP (ISC2) and CISM (ISACA) and holds a doctorate in computer science and business administration from the University of Paderborn, Germany. Before changing to the private sector in 2006, Carsten held the position of a senior research officer at the University of Essex, UK.

See All Blogs >

Carsten Huth

Carsten has specialized on application security for over 12 years. He joined Checkmarx in 2016, initially as the first Technical Account Manager (TAM) supporting Checkmarx’s strategic and large accounts. With growing demand Carsten built and managed the TAM team in EMEA over the following years. Furthermore, in 2019, Carsten started building the AppSec advisory practice at Checkmarx, at the beginning in parallel to his responsibility as TAM team leader. He is now fully focussed on AppSec advisory and is managing the practice globally as the head of AppSec Advisory. Prior to joining Checkmarx Carsten was the EMEA practice principal for professional services at HP/Fortify and prior to that worked for several years as a software security consultant implementing AppSec solutions in EMEA and beyond. In the AppSec community, Carsten has co-authored the OWASP SAMM/OpenSAMM standard and presented at various application security conferences. Carsten is certified as CSSLP, CISSP (ISC2) and CISM (ISACA) and holds a doctorate in computer science and business administration from the University of Paderborn, Germany. Before changing to the private sector in 2006, Carsten held the position of a senior research officer at the University of Essex, UK.

See All Blogs >

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.