Matrix

DevSecOps Maturity Model
Dimension	Sub-Dimension	Level 1: Basic understanding of security practices	Level 2: Understanding of security practices	Level 3: High understanding of security practices	Level 4: Advanced understanding of security practives at scale
Build and Deployment	Build	Defined build process	Regular tests		Building and testing of artefacts in virtual environments Signing of artefacts
Build and Deployment	Deployment	Defined deployment process	Backup before deployment Environment depending configuration parameters	Handover of confidential parameters Rolling update on deployment Same artefact for environments Usage of feature toggles	Blue/Green Deployment
Culture and Org.	Education and Guidance	Security consulting on request	Each team has a security champion Reward of good communication	Conduction of build-it, break-it, fix-it contests Conduction of collaborative security checks with develoeprs and system administrators Security-Lessoned-Learned	Aligning security in teams Conduction of collaborative team security checks Conduction of war games
Culture and Org.	Culture and Org.	Information security tragets are communicated	Creation of simple abuse stories	Conduction of simple threat modelling on business level Conduction of simple threat modelling on technical level	Conduction of advanced threat modelling Creation of advanced abuse stories
Culture and Org.	Process	Definition of simple BCDR practices for citical components		Approval by reviewing any new version Definition of a change mangement process Prevention of unauthorized installation
Information Gathering	Monitoring	Simple application metrics Simple system metrics	Alerting Visualized metrics	Advanced availablity and stability metrics Advanced webapplication metrics Deactivation of unused metrics Grouping of metrics Targeted alerting	Coverage and control metrics Defence metrics Metrics are combined with tests Screens with metric visualization
Information Gathering	Logging	Centralized system logging	Visualized logging	Centralized application logging	Correlation of security events
Infrastructure	Infrastructure	Simple access control for systems Usage of test and production environments	Applications are running in virtualized environments Checking the sources of used libraries Usage of security by default for components	Controlled networks for virtual environments Immutable Infrastructure Infrastructure as Code Role based authentication and authorization Versioning Virtual environments are limited	Limitation of system calls in virtual environments Microservice-Architecture Production near environments are used by developers Usage of a chaos monkey
Test and Verification	Dynamic depth	Simple Scan	Coverage of client side dynamic components Usage of different roles	Coverage of hidden endpoints Coverage of more input vectors Coverage of sequential operations Usage of multiple scanners	Coverage analysis Coverage of service to service communication
Test and Verification	Static depth	Test of middleware components with known vulnerabilities	Static analysis for important server side components	Static analysis for important client side components Test of client side components with known vulnerabilities Usage of multiple scanners	Exclusion of source code duplicates Static analysis for all components/libraries Static analysis for all self written components Stylistic analysis
Test and Verification	Test-Intensity	Default settings for intensity	Deactivating of unneeded tests	Creation and application of a testing concept	High test intensity
Test and Verification	Consolidation	Definition of quality gates Simple false positive treatment	Simple visualization of defects	Integration of vulnerability issues into the development process Treatment of defects with criticality middle	Advanced visualization of defects Reproducible defects tickets Treatment of all defects Usage of a vulnerability management system
Test and Verification	Application tests	Security unit tests for important components	Security integration tests for important components		High coverage of security related module and integration tests Smoke Test
Test and Verification	Infrastructure tests	Test of infrastructure components with known vulnerabilities	Test of the configuration of cloud environments Test of the configuration of virtual environments	Weak password test	Advanced infrastructure tests Load tests

Activtities per Dimension

Build: 4
Deployment: 8
Education and Guidance: 9
Culture and Org.: 6
Process: 4
Monitoring: 13
Logging: 4
Infrastructure: 15
Dynamic depth: 9
Static depth: 9
Test-Intensity: 4
Consolidation: 9
Application tests: 4
Infrastructure tests: 6

Activity Count: 104