-
Notifications
You must be signed in to change notification settings - Fork 14
The Concept
A belt comprises several activities from different areas, whereby each activity contributes to the improvement of software security. Within the maturity model, the belts are tailored so that they can be achieved within a quarter of year.
The white belt - with its activities - is our starting point and shall lay the organizational basis for the improvement of your software security. All other belts (yellow, orange, etc.) directly improve the team and its product. The activities with the best benefit to cost ratio are assigned to early belts (yellow, etc.). Therefore, activities in later security belts have a reduced benefit to cost ratio. Nevertheless, they are still worthwile if the product has critical software security requirements.
At the moment benefit and cost values are based on expert judgment. In the future, we seek to measure these values, so that the maturity model gets more accurate and profound. Furthermore, each belt follows the following rules, which we consider useful.
- Each Security Belt improves transparency to help the team to better understand and communicate to their stakeholders how well it ensures software security.
- Each Security Belt supports the team to automate and standardize their new security tasks by introducing at least one new tool.