We can advise you on the basis of over 10 years of practical experience in projects and systems and consider all aspects, approaches and security measures at an application level


Web application security can be carried out throughout the entire software development lifecycle (SDLC). The following applies: The earlier a measure is implemented in the SDLC, the stronger and more lasting its effect will be.

Web application security provides a very broad-based and now almost confusing range of options for providing security. There is no sure formula nor a process that can be applied equally to all companies.

It is essential to find the approach that best matches the particular situation and to express this in a company-wide software security strategy.

We utilise modern methods and process models to support companies, departments or teams in finding the right strategy and establishing comprehensive software and application security:


OpenSAMM, the freely available Software Assurance Maturity Model, with which the actual status of web application security is systematically analysed, suitable additional measures are identified and their strength and characteristics defined, and subjected to a process of improvement.

BSIMM (Building-Security-In Maturity Model) is very similar to OpenSAMM. We mainly use it in addition to this, as it offers greater clarity in certain areas.

Roadmap Workshop

Our Roadmap Workshop generally offers a good introduction to the subject. It includes the following four stages:Consulting

1 - Review of the current situation



  • We will send you a questionnaire to prepare for the workshop.

Organisation of the workshop

  • We present our approach
  • We agree the framework together with you, including resources, HR involvement, budget and time frame, etc.
  • Rough review of the current situation of the software and web applications used
  • Definition of risk classes and assignment to existing risk classes

Homework stage

  • Production of the software inventory and assignment to risk classes

Result We now have a software inventory and the individual components are assigned to risk classes.

2 - Planning
  • Definition of objectives and sub-objectives
  • Definition of activities
  • Production of metrics to assess the procedure
  • Production of a roadmap

Result We now have a roadmap with which to proceed.

3 - Implementation phase 1
A differentiation is made between the review of the existing applications and the procedure with new developments. With older applications, the issue predominantly involves identifying security problems and applying counter-measures in the most cost-effective way possible. With new applications, the problem needs to be solved at its very root and organisational measures have to be implemented to improve the software development lifecycle (SDLC).

Existing situation

  • Security analysis of applications with priority given to “red” risk class.
  • Pragmatic validation of the problems

New developments

  • Implementation of simple but effective measures to improve security
  • Prioritisation based on the risk class
  • Security knowledge and expertise is primarily purchased
4 - Additional phases

Additional implementation phases are planned depending on the individual requirements and security objectives. The typical planning horizon is around 3 years

Existing applications

  • Security analysis of applications in the lower risk classes
  • Pragmatic validation of the problems

New applications

  • Expansion of activities to lower risk classes
  • Intensification of activities
  • Reduction of test intervals
  • Gradual integration of security knowledge and expertise into the company