Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.
Establish, document and maintain baseline requirements for securing different applications.
Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.
Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.
Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible.
Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible.
Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.