Strategy & Management services

Running an effective application security program can be a daunting task, especially if you've yet to reach the size to staff a full-fledged InfoSec department.
We can bootstrap your security program, provide a CISO to implement and oversee your security program, or assess and improve your current security program.

Security Assessment

Get an overview of your current security posture and what can be improved, that's the goal of a security assessment. It's the map that helps you navigate the maze called application security. If you haven't recently performed a security assessment of your application, this is the activity to start with as it helps you prioritize all other activities.

The result of a security assessment is a scoring of your security practices and more importantly a list of suggested improvements. Our security assessment is based on OWASP SAMM, an industry standard model to analyze and improve your security posture.

Our way of working

To start, we will get to know you, your company, the application(s) you develop and the team that develops them. This first important step helps us decide the scope of the assessment and the team that will work on it.

We will gather existing documentation from you that will help us assess your application: previous assessment reports, existing written application security policies and practices, documented development practices, etc... The existence, or non-existence, of this documentation already tells us a lot about your security posture.

We will perform interviews with select team members to assess your security practices and the tools and processes in place to support them. The questions in this interview are based on the OWASP Software Assurance Maturity Model (SAMM). This industry standard model is the basis of our assessment.

When the interviews are over and documentation is reviewed, a list of possible improvements is created. We will refine this list in close cooperation with you to select the best and most relevant improvements for your company and application. This is where our years of experience prove vital in selecting the most relevant, cost-effective and impactful improvements for your team to work on.

Your application security score and our carefully selected improvements will be presented in a final report. The suggestions are actionable and should quickly result in improvements to your security posture.

Chief Information Security Officer as a service (vCISO)

The Chief Information Security Officer (CISO) is the person on your executive team who leads the Information Security (InfoSec) team. They create and oversee the implementation of the strategic security plan to protect its assets and technologies from threats. For companies that develop software, Application Security is a major part of a CISO's daily job.

Finding a good CISO can be difficult and expensive. Especially if you've yet to reach the size to staff a full-fledged InfoSec department. To help smaller companies meet their strategic security goals we can provide a highly trained professional to fill the CISO role, with full flexibility regarding time and expenses.

Our way of working

Before we can suggest a person for the CISO role, we will first need to know you better. What's your company really like, what are the challenges and opportunities and how does your company currently operate. Only then can we propose the right person for the job.

Our vCISO service is very flexible. Need a burst of work upfront implementing a security program and then a trickle afterwards maintaining it? No problem. Need a steady but low weekly amount of work done? Can do. We will find a solution that works for you.

Your new CISO will lead your InfoSec team and improve security in your business.


With certification you can prove to clients that the business' security practices are of a certain standard. There are many different types of certification. Some are more general, like ISO 27000, while others are industry specific, like PCI DSS for the payment industry. What all of them have in common is that you'll need a solid application security program to obtain them.

We can help you reach certification by assessing your security practices and improving them to the required level. Our expertise will help you implement the right security practices. This way you will not only reach certification but also improve your security in the process.

Our way of working

We assess your current security practices and compare them against the certification requirements. We'll give concrete advice on how to close remaining gaps with new or improved processes and tools.

The audit team has arrived to assess your business for compliance. We will be present as well to help present the right documentation, answer questions and make sure the audit progresses smoothly.

Almost every certification requires continued investment in existing and new security practices. Certification requirements are often revised to include new techniques and practices that you'll have to implement. We make sure you stay current and maintain your certification when the next audit comes around.

Risk management

Risk management is the process of identifying factors that could negatively affect assets and implementing cost-effective solutions for managing or reducing risk. The risk management process drives the information security strategy and results in the implementation of security practices and policies.

During a risk assessment we examine the business and the environment in which it operates for threats and estimate the likelihood that they impact the business. We then propose countermeasures to reduce the risk to an acceptable level.

Our way of working

During a risk assessment we examine the business and the environment in which it operates for threats and estimate the likelihood that they impact the business. This can be both qualitative or quantitative.

After we've identified threats and the risk they present, we then propose countermeasures to reduce this risk to an acceptable level. These countermeasures will get included in your strategic security plan.

Sooner or later, disaster will strike (we got hacked!). Some of the risk might be mitigated already (insurance, data backed up,...), but there will still be a lot of work to do to get operational again. We can help you create a disaster recovery plan to get back online as soon as possible after a disaster.
Our mission

Secuma helps technology companies develop more secure applications. We encourage and guide the integration of security best practices in the entire Software Development Lifecycle, improving the security of your applications and stopping issues from becoming incidents.

Sels Software & Security BV
Hoogputstraat 22B
3690 Zutendaal

Thank you for visting Secuma |
Pictures courtesy of Unsplash