Please specify your role in the organisation
How many people does your company employ?
How many people report to you?
In which industry does your company operate?
1. In your application development projects, how do you approach threat modelling?
2. Does the team have coding skills to build security protection into frameworks and templates in ways that are safe and easy to use?
3. Is there a close collaboration between security engineers and software engineers in the team?
4. Does security have self-service options for automated continuous integration to provide self-service builds and testing?
5. Are enterprise compliance standards clearly understood by the project team?
6. Does the project follow any standard metrics/ KPIs?
7. How is security monitored in operation environment of the project?
8. What is the frequency of static scans performed for the application codebase?
9. Are all applications scanned for open source component analysis?
10. Is "all code" considered for automated testing (ie, not just application code, but also infrastructure code, eg, Ansible Playbooks, Terraform, etc)?
11. How is feedback provided to developers on issues found in scans?
12. Is the software component analysis done in each pipeline of CI/CD?