Quick backstory: this blog post was actually inspired by a conversation with a colleague during a customer call, where we were trying to map out how we could provide the most value. Some of my favorite posts come directly from real customer challenges and conversations...those are the moments that spark the best ideas.

As software delivery accelerates and complexity grows, DevSecOps has become essential for integrating security throughout the development lifecycle. While the concept is widely recognized, many organizations still struggle to gauge their maturity and define actionable steps for advancing their practices.

This is where the OWASP DevSecOps Maturity Model (DSOMM) comes in. Built by the community and grounded in real-world practices, DSOMM helps organizations evaluate their current DevSecOps maturity, prioritize improvements, and build a scalable + secure delivery pipeline.

What Is the DevSecOps Maturity Model?

The OWASP DevSecOps Maturity Model is a framework for assessing and improving how effectively security is integrated into DevOps practices. Unlike traditional maturity models that focus on governance or policy, DSOMM concentrates on actionable, technical capabilities that align with how modern engineering teams work.

The model is structured around specific practice areas, referred to as domains. Each domain is evaluated across four levels of maturity:

Level 0: Not Practicing

No defined or repeatable security practices exist for this domain.

Level 1: Basic Awareness

Ad hoc or manual security practices are occasionally implemented.

Level 2: Defined and Repeatable Processes are standardized, and security practices are integrated into workflows and partially automated.

Level 3: Advanced and Proactive

Security is fully automated and deeply embedded in the software development lifecycle, with monitoring, feedback loops, and continuous improvement.

Each domain can be assessed independently, allowing organizations to tailor improvement efforts to their most critical areas.

Core Domains of DevSecOps

DSOMM outlines several technical domains that span the end-to-end software development and deployment process. These typically include:

• Secrets Management

• Vulnerability Management

• Dependency and Supply Chain Management

• Security Testing in CI/CD

• Logging and Monitoring

• Incident Response

• Infrastructure as Code Security

• Access Control

• Secure Development Practices

• Container and Cloud Security

Each of these domains can be mapped to maturity levels, creating a clear snapshot of how security is currently handled across different parts of the pipeline.

Examples of Maturity Across Domains

Here are a few examples of what maturity looks like in specific domains:

Secrets Management

• Level 0: Secrets are stored in plaintext files or hardcoded into application code.

• Level 1: Teams rotate secrets manually, but there is no centralized management.

• Level 2: A secrets vault such as HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager is used, with controlled access.

• Level 3: Secrets are automatically provisioned and rotated, integrated into CI/CD pipelines, and fully auditable.

Vulnerability Management

• Level 0: No consistent vulnerability scanning is performed.

• Level 1: Scanning occurs occasionally and manually.

• Level 2: Tools such as SCA, SAST, or DAST are integrated into CI/CD, with findings reviewed by security and development teams.

• Level 3: Critical vulnerabilities block releases, remediation timelines are enforced, and metrics are used to track resolution rates.

Security Testing in CI/CD

• Level 0: Security testing is not included in build or deploy processes.

• Level 1: Tests are performed manually or late in the development process.

• Level 2: Static and dynamic security tests run in the CI/CD pipeline with automated reporting.

• Level 3: Pipelines are configured to fail based on severity thresholds, and results are integrated into dashboards and alerting systems.

Why DSOMM Is Valuable

DSOMM offers practical benefits for organizations that want to build secure systems without disrupting delivery speed. I'll outline them here:

Clarity and Alignment

Provides a shared understanding between development, operations, and security teams.

Incremental Improvement

Supports step-by-step progress rather than requiring massive changes upfront.

Prioritized Investment

Helps teams focus their time and resources on the areas of highest impact.

Tool and Platform Neutral

Works across any stack, programming language, or cloud provider.

Built for Automation

Encourages security practices that are automated and built into delivery pipelines.

Getting Started with DSOMM

Organizations can begin by assessing their current maturity level across a subset of domains. Here’s a suggested approach:

1. Assess Current State - Use the DSOMM website or a spreadsheet (download link below) to score each domain from Level 0 to Level 3 based on your current practices. I feel like this could be a good conversation starter for your next team meeting. It may cause disagreements, but disagreements sometimes bring about the best ideas!

1. Map Results Visually - Create a heatmap or radar chart to visualize strengths and weaknesses across your domains (P.S. there's a heatmap in the Excel doc above).

   
   

2. Prioritize Gaps - Focus on improving domains that pose the highest risk or provide the greatest return on investment.

   
   

3. Build a DevSecOps Backlog - Convert findings into backlog items. For example, “Implement automated secrets rotation” or “Add SAST to CI pipeline.”

   
   

4. Reassess Regularly - Set monthly, quarterly, and/or biannual checkpoints to evaluate progress and refine goals.

Final Thoughts

DevSecOps is not a destination, but a journey of continuous improvement. By integrating security into engineering workflows, organizations can reduce risk without slowing innovation.

The OWASP DevSecOps Maturity Model is a valuable guide for navigating this journey. It helps teams take stock of where they are, set achievable goals, and build security into the heart of how software gets delivered.

For engineering leaders, platform teams, and security professionals alike, DSOMM provides a structure that turns vague aspirations into concrete progress. It is not about perfection. It is about moving forward with intention.