Most developers favour actionable solutions, with direct positive impact on their issues.
ASF promotes simple, automated and short-feedback-loop solutions that provide good efficiency with reasonable implementation effort.
Iterative
Agility pushes for frequent delivery, with incremental progress. This is also relevant in the cybersecurity field.
Obviously a new system shall not be exposed before it has a reasonable level of security in place to contain risk. But in a risk-driven approach, a system can be exposed as soon as the risk is acceptable, and the security can be improved iteratively.
For existing systems, ASF approach helps to prioritize the most effective actions, and progressively reach an acceptable level of risk.
The baselines are organized in levels, so that the organization can define major milestones on the road to improved cybersecurity. This has proved to be a highly effective motivation for devops teams.
Customizable
ASF is designed to be tailored to each organization.
The general principles of ASF are valid for all organization.
Baselines can be selected and adapted to the situation.
Tooling shall be adapted to existing information system and culture. ASF does not promote specific solutions, but works well with popular ones.