The Book
Membership
Explore MembershipGlobal Expansion Program
AppSecConS3M2Journey to AppSec Maturity
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Resources
PodcastsBlogsState of AppSec 2023
Contact Us
The Book
Membership
Explore Membership
Global Expansion Program
AppSecCon
S3M2
Journey to AppSec Maturity
Events
Resources
Contact Us

‍S3M2: Scalable Software Security Maturity Model

Abstract

Today, every company is a software company. 

Tesla, Coca Cola, Goldman Sachs, and John Deere are run by software applications. Software is a source of competitive advantage and a central pillar of an organizational strategy, and so delivering it quickly usually gets priority over delivering it securely. 

As software development and cyber threats evolve, software security faces increased challenges. Agile DevOps, cloud, microservices, and open source have all dramatically accelerated application delivery and complexity. Application security, infrastructure security, and cloud security are getting more intertwined, creating a complex security posture that needs to be managed and protected. On their Journey to AppSec Maturity (JTAM), organizations are looking for a map to chart a course for a success.

Earlier this year, several Purple Book Community members organized community meetups to discuss current AppSec and Software Security maturity models. After much research and dialogue, a team assembled to build upon these existing models, creating a new Scalable Software Security Maturity Model (S3M2). The existing models are great at what they are designed for. This model seeks to fill some of the additional needs the community members felt that they need a new model for. 

This is a 100% Community-driven model, developed by a team of AppSec experts from diverse industries for the benefit of the broader security community. 


Read this blog to learn how S3M2 is designed.


The 0.5 version of this model was launched at AppSecCon 2023, and we are now seeking community input to make it more comprehensive and robust. We are also seeking participation from more security experts to join the core team to mature this model further. 

We will also be organizing virtual and in-person workshops at regular intervals (once or twice a month) between now and December. We seek your participation in these 3 hour workshops as well. Dates are yet to be determined and will be decided based on interest level from each city. 

Please fill out the form on this page to express your interest.

Join our S3M2 Workshops

Oops, I feel you need to check the number
Oops, I feel you need to check the number
Oops, I feel you need to check the number
Oops, I feel you need to check the number
Oops, I feel you need to check the number
Oops, I feel you need to check the number
Oops, I feel you need to check the number
Purple Book Community is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:
View more
Thank you!
Your message has been received and we'll be in touch with you shortly. A confirmation receipt will be sent to the email address you listed.
Return Home
Oops! Something went wrong while submitting the form.

Learn More

Blog

Enhancing an Application Security Program: The Importance of Technology in a Maturity Model

By 
Charan Akiri
,
and
Nov 8, 2023
Blog

What is The Purple Book Community's Scalable Software Security Maturity Model (S3M2)?

By 
Purple Book Community
,
and
Jun 29, 2023
Podcast Series
Episode 16
A New Software Security Maturity Model? What? Why? How?
Nitin and Brook tackle the big Q's surrounding our Journey to AppSec Maturity initiative.
Nitin Raina
Nitin Raina
May 9, 2023
Season 2

Journey to AppSec Maturity: Dialogue at RSA

On April 18th 2023 The Purple Book Community's security experts and guests led a special LinkedIn Live broadcast to discuss how to effectively measure the maturity of application security programs, and the pressing need for a new forward-looking and scalable maturity model.

Session Videos

Topic 1
Topic  2
Topic 3
Topic  4
Session 1: Dustin Lehr
11:00 AM - 11:15 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Dustin Lehr -Senior Director, Platform Security, Fivetran
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 2: Mithun Rajoor & Nitin Raina
11:15 AM - 11:30 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mithun Rajoor - Head of Application & Infrastructure Security (AIS), S&P Global
Nitin Raina - CISO, Thoughtworks
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 3: Maria Schwenger
11:30 AM - 11:45 AM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 4: Helen Umberger & Pratik Savla
11:45 AM - 12:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Helen Umberger - DevSecOps, The Standard
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 1: The need for a new AppSec Maturity Model
Host:
Brook Schoenfield
Chief Technology Officer & Chief Security Architect, Resilient Software Security
Session 1: Rick Doten & Erica Anderson
12:00 PM - 12:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Rick Doten - VP, Information Security, Centene Corporation
Erica Anderson - Co-Founder & COO, SafeStack
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO, We Hack Purple Community
Session 2: Mohit Kalra & Pratik Savla
12:15 PM - 12:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mohit Kalra - VP of Security, Typeface
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO, We Hack Purple Community
Session 3: Lucas LaFrance & Swathi Joshi
12:30 PM - 12:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Lucas LaFrance - SVP Information Security, PlanetArt
Swathi Joshi - VP, SaaS Cloud Security, Oracle
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO at We Hack Purple Community
Session 4: Aruneesh Salhotra & Maria Schwenger
12:45 PM - 1:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Aruneesh Salhotra - Fractional CISO, SNM Consulting Inc
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 2: AppSec metrics that matter
Host:
Tanya Janca
Founder & CEO at We Hack Purple Community
Session 1: Aruneesh Salhotra & Russell Ragar
1:00 PM - 1:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Aruneesh Salhotra - Fractional CISO, SNM Consulting Inc
Russell Ragar - Head of Security, Snapdocs
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 2: Brook Schoenfield & Avi Douglem
1:15 PM - 1:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Brook Schoenfield - CTO & Chief Security Architect, Resilient Software Security
Avi Douglen - Founder and CEO, Bounce Security
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 3: Pratik Savla
1:30 PM - 1:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Pratik Savla - Principal Cybersecurity and Compliance Business Partner, Synaptics
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 4: Mark Markow & Robert Hurlbut
1:45 PM - 2:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Mark Merkow - Application Security Engineer, Freeport McMoRan
Robert Hurlbut - Principal Application Security Architect Threat Modeling Lead, Aquia Inc
Topic 3: Attributes of a modern AppSec Maturity Model
Host:
Mark Lambert
Chief Product Officer, ArmorCode Inc.
Session 1: Chitra Dharmarajan & Valmiki Mukherjee
2:00 PM - 2:15 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Chitra Dharmarajan - Senior Director, Security & Privacy Engineering, Okta
Valmiki Mukherjee - CEO & Founder, Cybrize; Chairman & Founder, Cyber Future Foundation
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 2: Prabhat Karanth & Viraj Gandhi
2:15 PM - 2:30 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Prabhath Karanth - Global Head of Security & Trust, Navan
Viraj Gandhi - Product Security Manager, SailPoint
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 3: Cassie Crossley
2:30 PM - 2:45 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Cassie Crossley - VP Supply Chain Security, Cybersecurity & Product Security Office, Schneider Electric
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
Session 4: Maria Schwenger
2:45 PM - 3:00 PM

We all need to work together to speed up adoption of application security practices and to encourage (if not mandate) such adoption. There are many challenges ahead for AppSec teams, building a community is the best way to prepare practitioners to face them.


The Purple Book of Software Security is the perfect example of a community coming together to create a critical resource. All organizations can use this as a launching pad for utilizing and developing new tools and frameworks - that not only improve security but also improve and sustain reliability and agility in the software production process. The book is just the beginning of a plan to create a series of go-to resources for software security leaders and practitioners.


This session is all about the power of a community, the Purple Book Community, and how it aims to further the adoption of software security practices and support practitioners in their goals of developing scalable application security programs.

In this session you will learn:

  • How working together as community furthers AppSec adoption
  • Examples of how the community worked together
  • The future of the Purple Book Community
Speakers
Maria Schwenger - Partner, Cloud Native Build Practice Leader, IBM
Topic 4: Right-sizing the maturity model for your organization
Host:
Aruneesh Salhotra
Fractional CISO, SNM Consulting Inc
The Book
Membership
Explore MembershipGlobal Expansion Program
AppSecConS3M2Journey to AppSec Maturity
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Resources
PodcastsBlogsState of AppSec 2023
Contact Us
Uniting security leaders and practitioners on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
Membership
Podcasts
Blogs
Events
Past Events
AppSecCon New York Reception
AppSecCon Austin Reception
AppSecCon  Santa Clara Reception
Mumbai Chapter
Atlanta Chapter
Bengaluru Chapter
Davos Dialogue
Resources
Contact Us
Copyright © Powered By ArmorCode Inc.
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.