What kind of metrics will I get?
The first set of metrics will be the scorecards describing your organization's SDL maturity level. Even if you don't have an official SDL program, you may likely have at least a few of the pieces in place.
Some of the most valuable metrics will become available as artifacts of the working SDL program, including:
- An application inventory with data classifications.
- A record of risk questionnaires for each of your applications.
- Threat models for each application.
- Bug tracking metrics, capturing security cause, effect, and impact.
- A record of accredited final security review signoffs.
The initial report will detail the initial state of security in your company, and contrast it with the SDL maturity level desired. The report will then lay out a comprehensive roadmap detailing the most important weaknesses, and the steps needed to address them.
From this point forward, there will be regular reports describing the progress that has been made toward the goal. These reports will describe both important milestones that have been met since the last report, and the steps necessary to meet future milestones. Both BSIMM6 and MSDL scorecards (as shown in the Sample Scorecards below) will be provided, giving clear, concise checklists of progress toward your goal in all areas of the SDL program.
Microsoft SDL Sample Scorecard
Microsoft established an security-industry benchmark when they released a working SDL framework as a public offering in 2008. The scorecard below represents a slightly modified version of the Microsoft Simplified SDL. It measures 52 specific capabilities across 5 phases of the SDLC. Our first goal in working with you is to get you to a maturity level represented here - all "standard" SDL capabilities are implemented (those highlighted in green), meaning you have an industry-standard SDL program in place. The items highlighted in red represent higher maturity levels which you may get to over time.
BSIMM6 Sample Scorecard
The BSIMM6 study looked at 78 organizations across many industries, and gathered data about their SDL program maturity levels to learn about the variations in SDL implementations as well as the common ground. The BSIMM captures metrics on 112 capabilities across 12 practice areas, providing a more granular view when compared to the Microsoft SDL scorecard. The BSIMM measures for capability across 3 SDL maturity levels, and the sample scorecard below illustrates a company who has implemented all 40 capabilities in the first of three maturity levels. The items in red represent capabilities in higher maturity levels which the company has not yet reached.
Casaba prides itself on providing the most thorough, transparent reports possible for executive management. The metrics provided will cover progress through the program, areas where improvement is needed, and important milestones to aim for.