The Book
Explore Membership
Initiatives
Journey to AppSec MaturityWomen in SecurityS3M2PodcastState of AppSec 2023
Resources
Resource LibraryBlogSecurity Jobs Board
AppSecConPodcastState of AppSec 2023
Events
Upcoming Events
PBC Virtual - JTAM with Vivek Venkatachalam
PBC Connect - RSAC 2025
PBC Virtual -Women In Security Panel
JTAM AWS ReInvent conference
Past Events
PBC Virtual - AI in AppSec Panel
PBC Virtual - JTAM with Vivek Venkatachalam
PBC Virtual - Women in Security Panel
Jim Manico - Security Rules for AI Code Generation
Bengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Contact Us
The Book
Membership
Journey to AppSec Maturity
Initiatives
Resources
Events
Join Us

‍S3M2: Scalable Software Security Maturity Model


Software now sits at the heart of every modern enterprise—from automakers to financial institutions. But as organizations race to innovate, speed often outpaces security. Agile methodologies, cloud-native architectures, open source, and microservices have transformed how applications are built and delivered, but they’ve also introduced greater complexity and risk. Application, infrastructure, and cloud security are increasingly interconnected, making a unified, mature approach to software security more essential than ever.

In 2023, members of the Purple Book Community came together to assess the strengths and limitations of existing software security maturity models. The result of their collaboration is the Scalable Software Security Maturity Model (S3M2)—a new, community-driven model designed to help organizations navigate their evolving security posture with greater clarity and confidence.

First introduced at AppSecCon 2023, S3M2 builds on prior models while addressing key gaps identified by practitioners across industries. Developed by experts, for the community, S3M2 offers a practical path forward on the journey to application security maturity.


Read this blog to learn how S3M2 was designed.

Join our S3M2 Workshops

Purple Book Community is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:
View more
Thank you!
Your message has been received and we'll be in touch with you shortly. A confirmation receipt will be sent to the email address you listed.
Return Home
Oops! Something went wrong while submitting the form.

Learn More

Blog

Enhancing an Application Security Program: The Importance of Technology in a Maturity Model

By 
Charan Akiri
,
and
Nov 8, 2023
Blog

What is The Purple Book Community's Scalable Software Security Maturity Model (S3M2)?

By 
Purple Book Community
,
and
Jun 29, 2023
Podcast Series
Episode 16
A New Software Security Maturity Model? What? Why? How?
Nitin and Brook tackle the big Q's surrounding our Journey to AppSec Maturity initiative.
Nitin Raina
Nitin Raina
May 9, 2023
Season 2

Journey to AppSec Maturity: Dialogue at RSA

On April 18th 2023 The Purple Book Community's security experts and guests led a special LinkedIn Live broadcast to discuss how to effectively measure the maturity of application security programs, and the pressing need for a new forward-looking and scalable maturity model.

Session Videos

Topic 1
Topic  2
Topic 3
Topic  4
Session 1: Dustin Lehr
11:00 AM - 11:15 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Dustin Lehr -Senior Director, Platform Security, Fivetran
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 2: Mithun Rajoor & Nitin Raina
11:15 AM - 11:30 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mithun Rajoor - Head of Application & Infrastructure Security (AIS), S&P Global
Nitin Raina - CISO, Thoughtworks
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 3: Maria Schwenger
11:30 AM - 11:45 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 4: Helen Umberger & Pratik Savla
11:45 AM - 12:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Helen Umberger - DevSecOps, The Standard
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 1: Rick Doten & Erica Anderson
12:00 PM - 12:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Rick Doten - VP, Information Security, Centene Corporation
Erica Anderson - Co-Founder & COO, SafeStack
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO, We Hack Purple Community
Session 2: Mohit Kalra & Pratik Savla
12:15 PM - 12:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mohit Kalra - VP of Security, Typeface
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO, We Hack Purple Community
Session 3: Lucas LaFrance & Swathi Joshi
12:30 PM - 12:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Lucas LaFrance - SVP Information Security, PlanetArt
Swathi Joshi - VP, SaaS Cloud Security, Oracle
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO at We Hack Purple Community
Session 4: Aruneesh Salhotra & Maria Schwenger
12:45 PM - 1:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Aruneesh Salhotra - Fractional CISO, SNM Consulting Inc
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO at We Hack Purple Community
Session 1: Aruneesh Salhotra & Russell Ragar
1:00 PM - 1:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Aruneesh Salhotra - Fractional CISO, SNM Consulting Inc
Russell Ragar - Head of Security, Snapdocs
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 2: Brook Schoenfield & Avi Douglem
1:15 PM - 1:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Brook Schoenfield - CTO & Chief Security Architect, Resilient Software Security
Avi Douglen - Founder and CEO, Bounce Security
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 3: Pratik Savla
1:30 PM - 1:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 4: Mark Markow & Robert Hurlbut
1:45 PM - 2:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mark Merkow - Application Security Engineer, Freeport McMoRan
Robert Hurlbut - Principal Application Security Architect Threat Modeling Lead, Aquia Inc
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 1: Chitra Dharmarajan & Valmiki Mukherjee
2:00 PM - 2:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Chitra Dharmarajan - Senior Director, Security & Privacy Engineering, Okta
Valmiki Mukherjee - CEO & Founder, Cybrize; Chairman & Founder, Cyber Future Foundation
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 2: Prabhat Karanth & Viraj Gandhi
2:15 PM - 2:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Prabhath Karanth - Global Head of Security & Trust, Navan
Viraj Gandhi - Product Security Manager, SailPoint
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 3: Cassie Crossley
2:30 PM - 2:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Cassie Crossley - VP Supply Chain Security, Cybersecurity & Product Security Office, Schneider Electric
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 4: Maria Schwenger
2:45 PM - 3:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
The Book
Explore Membership
Initiatives
Journey to AppSec MaturityWomen in SecurityS3M2PodcastState of AppSec 2023
Resources
Resource LibraryBlogSecurity Jobs Board
AppSecConPodcastState of AppSec 2023
Events
Upcoming Events
PBC Virtual - JTAM with Vivek Venkatachalam
PBC Connect - RSAC 2025
PBC Virtual -Women In Security Panel
JTAM AWS ReInvent conference
Past Events
PBC Virtual - AI in AppSec Panel
PBC Virtual - JTAM with Vivek Venkatachalam
PBC Virtual - Women in Security Panel
Jim Manico - Security Rules for AI Code Generation
Bengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Contact Us
Uniting security professionals on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
S3M2
Podcast
Blogs
Membership
Explore Membership
Resources
Contact Us
Powered by ArmorCode Inc.
Copyright © 2025. All rights reserved.
|
Privacy Policy
|
Terms & Conditions
The information contained in The Purple Book of Software Security and the contents of the Purple Book Community website contain ideas expressed by Purple Book Community members. These opinions are their own, do not reflect the views of the organizations they belong to, and have no affiliation with nor make any endorsement of any commercial products or services, including those of community sponsors.