There are currently many different ways to perform a security assessment on a software application under development, whether it is a code review, a penetration test, or an assessment of the development process maturity. Examples include a Payment Application Data Security Standards (PA-DSS) assessment by the Payment Card Industry (PCI) Council or a Building Security In Maturity Model (BSIMM) assessment by Cigital, Inc.
However, these assessments present several challenges and drawbacks:                Current assessment and scoring models are all points in time. They lack continuity and therefore long term meaning.        They also only offer a “siloed” view. For example, a pen test result or code review result only represent a single technical perspective.        The current scoring models are also too broad and not actionable. For example, BSIMM as an organizational measure and single score for the organization cannot effectively uncover issues at individual application and team level due to varying degrees of inconsistency that exist.        Many secure development maturity assessments are often conducted through interviews which makes the results subjective.        
Additionally, with the recent adoption of Agile development and DevOps practices, integrating security into development is becoming an increasingly challenging obstacle, due to the complexity and the amount of manual effort involved. In a large technology organization, there are often hundreds of development teams and thousands of applications being built, incorporating detailed security requirements and activities throughout the development lifecycle has become a daunting problem that is highly cost prohibitive and impractical with the current systems and methods. As a result, security continues to be an afterthought to many software development organizations, and the security team continues to struggle playing catch-up.