Insufficient Program Resources
- The software development organization or organizational unit has started an application security program, but the resources allocated to support the program (people, tools, or a combination thereof) are not sufficient, the initiative is either not funded or under-funded.
- This weakness typically occurs in situations where there is no executive-level application security evangelist.
- Prior to a Cyber Incident - Delayed program adoption
- During and After a Cyber Incident - Unknown business risk; impaired incident response
- Critical - This must be addressed immediately.