Matrix

OWASP DevSecOps Maturity Model
Dimension	Sub-Dimension	Level 1: Basic understanding of security practices	Level 2: Adoption of basic security practices	Level 3: High adoption of security practices	Level 4: Advanced deployment of security practices at scale
Build and Deployment	Build	Defined build process	Building and testing of artifacts in virtual environments Pinning of artifacts SBOM of components	Signing of artifacts Signing of code
Build and Deployment	Deployment	Defined deployment process	Defined decommissioning process Environment depending configuration parameters (secrets) Usage of trusted images	Handover of confidential parameters Inventory of dependencies Inventory of running artifacts Rolling update on deployment Same artifact for environments Usage of feature toggles	Blue/Green Deployment
Build and Deployment	Patch Management	A patch policy is defined Automated PRs for patches	Nightly build of images (base images) Reduction of the attack surface Usage of a maximum lifetime for images		Usage of a short maximum lifetime for images
Culture and Organization	Design	Conduction of simple threat modeling on technical level Information security targets are communicated		Conduction of advanced threat modeling Conduction of simple threat modeling on business level Creation of simple abuse stories Creation of threat modeling processes and standards	Creation of advanced abuse stories
Culture and Organization	Education and Guidance	Ad-Hoc Security trainings for software developers Security code review Security consulting on request	Each team has a security champion Regular security training for all Regular security training of security champions Reward of good communication Simple mob hacking	Conduction of build-it, break-it, fix-it contests Conduction of collaborative security checks with developers and system administrators Security-Lessoned-Learned	Aligning security in teams Conduction of collaborative team security checks Conduction of war games Regular security training for externals
Culture and Organization	Process	Definition of simple BCDR practices for critical components		Approval by reviewing any new version Definition of a change management process Prevention of unauthorized installation
Implementation	Application Hardening	Application Hardening Level 1	App. Hardening Level 2	App. Hardening Level 3	Full Coverage of App. Hardening Level 3
Implementation	Development & Source Control	Source Control Protection Versioning	Pre-Commit checks & validations		Local development linting & style checks performed
Implementation	Infrastructure Hardening	Isolated networks for virtual environments Simple access control for systems Usage of edge encryption at transit Usage of encryption at rest Usage of test and production environments	2FA Applications are running in virtualized environments Backup Checking the sources of used libraries Filter outgoing traffic The environment is hardened Usage of an security account Usage of internal encryption at tansit Usage of security by default for components Virtual environments are limited	Immutable Infrastructure Infrastructure as Code Role based authentication and authorization	Limitation of system calls in virtual environments Microservice-Architecture Production near environments are used by developers Usage of a chaos monkey
Information Gathering	Logging	Centralized system logging Logging of security events PII logging concept	Visualized logging	Centralized application logging	Correlation of security events
Information Gathering	Monitoring	Simple application metrics Simple budget metrics Simple system metrics	Alerting Monitoring of costs Visualized metrics	Advanced availability and stability metrics Advanced webapplication metrics Deactivation of unused metrics Grouping of metrics Targeted alerting	Coverage and control metrics Defense metrics Metrics are combined with tests Screens with metric visualization
Test and Verification	Application tests		Security unit tests for important components	Security integration tests for important components	High coverage of security related module and integration tests Smoke Test
Test and Verification	Consolidation	Definition of quality gates Simple false positive treatment Treatment of defects with severity high or higher	Simple visualization of defects	Integration of vulnerability issues into the development process Treatment of defects with severity middle Usage of a vulnerability management system	Advanced visualization of defects Reproducible defect tickets Treatment of all defects
Test and Verification	Dynamic depth for applications	Simple Scan	Coverage of client side dynamic components Usage of different roles	Coverage of hidden endpoints Coverage of more input vectors Coverage of sequential operations Usage of multiple scanners	Coverage analysis Coverage of service to service communication
Test and Verification	Dynamic depth for infrastructure	Test for exposed services	Test network segmentation Test of the configuration of cloud environments	Weak password test	Load tests Test for unused Resources
Test and Verification	Static depth for applications	Test of server side components with known vulnerabilities	Local development security checks performed Static analysis for important server side components	Static analysis for important client side components Test of client side components with known vulnerabilities	Exclusion of source code duplicates Static analysis for all components/libraries Static analysis for all self written components Stylistic analysis Usage of multiple analyzers
Test and Verification	Static depth for infrastructure	Stored Secrets	Check for image lifetime Test cluster deployment resources Test of virtualized environments Test the cloud configuration Test the definition of virtualized environments	Analyze logs Check for malware Check for new image version	Check for known vulnerabilities Correlate known vulnerabilities in infrastructure with new image versions Test of infrastructure components for known vulnerabilities
Test and Verification	Test-Intensity	Default settings for intensity High test intensity	Deactivating of unneeded tests Regular tests	Creation and application of a testing concept

Activities per Dimension

Build: 6
Deployment: 11
Patch Management: 6
Design: 7
Education and Guidance: 15
Process: 4
Application Hardening: 4
Development & Source Control: 4
Infrastructure Hardening: 22
Logging: 6
Monitoring: 15
Application tests: 4
Consolidation: 10
Dynamic depth for applications: 9
Dynamic depth for infrastructure: 6
Static depth for applications: 10
Static depth for infrastructure: 12
Test-Intensity: 5

Activity count: 156
Dimension count: 5
Sub-Dimension count: 18