Best Practices¶
This section covers recommended approaches for getting the most out of Mayo ASPM. Each guide provides actionable advice drawn from teams that have successfully adopted the platform.
Guides¶
| Guide | Description | Best for |
|---|---|---|
| Organizing your security program | Structure projects, teams, and workflows | Getting started, scaling up |
| Triage workflows | Handle findings efficiently with policies and manual review | Reducing noise, improving response time |
| Designing effective policies | Write policies that are maintainable, testable, and effective | Policy authors, security engineers |
| Scanner selection | Choose the right scanners for your stack | New deployments, expanding coverage |
| PR scanning strategy | Configure PR gates that balance security and developer velocity | DevSecOps, engineering leads |
General principles¶
Start small, iterate¶
Tip
Don't try to cover every edge case on day one. Enable basic scanning, write a few triage policies, and expand coverage based on what you learn from real data.
Reduce noise before expanding coverage¶
Adding more scanners before triaging existing findings leads to alert fatigue. Get your triage automation rate above 70% before enabling additional scanners.
Automate the obvious, review the uncertain¶
- Automate: suppress info findings, accept critical CVEs with known exploits, assign by repository
- Review: medium-severity findings, new scanner rules, findings in critical code paths
Measure and improve¶
Track these metrics monthly:
| Metric | Target | Where to find it |
|---|---|---|
| Triage automation rate | > 80% | Triage funnel dashboard |
| Mean time to triage | < 24 hours | Findings analytics |
| Mean time to remediate (critical) | < 7 days | Findings analytics |
| False positive rate | < 10% | Manual review of suppressed findings |
| Developer satisfaction | Qualitative | Team surveys |
Maturity model¶
Level 1 — Visibility¶
- Connect GitHub and sync repositories
- Run first scans (SCA + secrets)
- Review findings manually
Level 2 — Triage automation¶
- Write triage policies for top noise sources
- Set up priority scoring
- Connect Jira for ticket generation
Level 3 — Shift left¶
- Enable PR scanning
- Write PR scan policies (block on critical)
- Add SAST scanning
Level 4 — Full program¶
- Ownership policies route findings to the right teams
- Nightly scans cover all repositories
- Policy coverage > 90%
- Mean time to remediate trending down
Next steps¶
Choose the guide most relevant to your current stage:
- New to Mayo ASPM? Start with Organizing your security program
- Drowning in findings? Read Triage workflows
- Writing your first policies? See Designing effective policies