Your Guide to Evaluation Criteria for a Secure Application Lifecycle Management Solution

August 26, 2013

To keep an unbiased perspective when evaluating a software or service, it is best to have the important criteria ready beforehand. This will ensure that during the evaluation period, you can keep an eye on the key factors that are important to you, and provides you an easier way to make decisions commensurate with your goals.

We have looked at what questions enterprise organizations had when evaluating secure application lifecycle management solutions and put together a guide of evaluation criteria below. The list might be overwhelming, so we encourage you to pick the more items that align with your goals so that you choose solution that’s right for you.

Evaluation Criteria

  1. How can the tool help to automate and streamline the secure software development life cycle process?
  2. How does the tool automate and improve our ability to gather and track application security requirements?
  3. Can the tool be used to improve analysis time for security fixes and other incoming requests reducing the number of man hours spent on false positives?
  4. Does the tool provide security guidance and links to reference material to application teams?
  5. Does the tool provide auditability of user actions?
  6. Does the tool have the ability to export requirements to other systems such as Issue Tracking tools and other Application Lifecycle Management (ALM) solutions?
  7. Does the tool provide for multiple user level privileges and permissions (i.e. admin/user read only)?
  8. Is the content periodically updated with the latest security requirements by the vendor?
  9. How long does it take on average to model an application and compile a threat report and/or get a requirements list?
  10. How long does it take on average to model a new release of a previously modeled application?
  11. How does the process and the tool used for it benefit each of the following roles by improving either performance, by saving time, or by other means?
  • Developers
  • Project Lead / Project Manager / Architect
  • QA / Testers
  • IT and Application Security experts
  • Product and Project Managers
  • Security Managers
  1. What is the estimated Return On Investment (ROI)?
  2. Is data transmitted to the application over a secure channel?
  3. For the SaaS (software as service) model, is the tool accessible 24/7 (except for standard maintenance)?
  4. Does the tool vendor have controls in place to keep the data secure?
  5. How easy is the tool to use? Do new users need significant training to understand the application or is it intuitive?
  6. Is the tool useful for people with different degrees of security expertise?
  7. Has the tool been successfully deployed and adopted in other complex environments?
  8. Do other customers have positive feedback about using the tool?
  9. Does the tool help build-in and track compliance to relevant regulations / legislations?
  10. Can we add custom content to match our needs?
  11. Can we modify vendor-supplied content?

Heading into an evaluation with defined criteria will allow you to remain objective and keep an eye on the factors that are critical to your success.

Previous Article
400 Apps in 40 Days: the art of balancing time and budget in application security assessments
400 Apps in 40 Days: the art of balancing time and budget in application security assessments

The topic of prioritizing applications in terms of risk is an important one to us and our clients, so I wan...

Next Article
What PCI Requirements Apply to Us: Tackling a Common PCI DSS Compliance Challenge
What PCI Requirements Apply to Us: Tackling a Common PCI DSS Compliance Challenge

When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping te...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!