Menu
JustAppSec Scorecard
A quick, lightweight AppSec maturity assessment. Answer the questions below to see where you stand today and the most practical areas to improve next.
Not started
Answer the questions below to see your AppSec maturity.
Status
AppSec has a clear owner.
Named owner, clear responsibility, and visible goals.
We know what we run (apps/APIs) and what data matters.
A current inventory and a rough sense of data sensitivity.
Auth is reviewed for major changes.
Access control, roles/permissions, boundaries, and abuse cases.
Critical security fixes can be deployed quickly when needed.
An emergency path exists (days, not months) for high-risk issues.
Dependencies are automatically checked for known vulnerabilities.
SCA runs in CI with a clear exceptions/waiver process.
Secrets are managed (not stored in repos).
A secret store plus scanning that prevents leaks.
Security checks can block a release when needed.
Quality gates that developers trust (low noise).
Security-relevant events are logged and searchable.
Auth events, privilege changes, key admin actions.
Suspicious activity triggers actionable alerts.
Clear ownership for triage and response.
We practice incident response for real app scenarios.
At least twice a year (auth bypass, data leak, etc.).