What is the DevSecOps maturity model?
DevSecOps maturity models provide structured frameworks for organizations to assess their current security integration practices and create roadmaps for systematic improvement throughout the software development lifecycle. In particular, the OWASP DevSecOps Maturity Model (DSOMM), the most widely adopted framework in this space, offers a standardized approach to evaluate how well security practices are embedded within development and operations processes.
This empowers organizations to reduce development time and costs while increasing agility and innovation. It also provides greater visibility into security risks, improves cross-team collaboration, and helps organizations achieve compliance goals through progressive security enhancement.
AWS Security Best Practices Cheat Sheet
Implementing the DevSecOps maturity model requires solid cloud security fundamentals. Get the AWS security cheat sheet to learn how you can improve your own cloud security.
The benefits of adopting the OWASP DSOMM
The OWASP DSOMM gives organizations a structured way to weave security into how they plan, build, and operate software. By using it as a roadmap, teams can unlock these benefits:
Faster, safer releases: Embedding security into every stage of development reduces the risk of late-stage surprises and costly rework.
Clear improvement path: This model gives teams a step-by-step guide for maturing their security practices, which makes it easier to prioritize investments and track progress.
Better collaboration: By breaking down silos between development, security, and operations, teams can work together to solve problems and share responsibility for risk.
Reduced risk and cost: Early detection and prevention of vulnerabilities lowers the chance of breaches and minimizes the cost of fixing issues, which is especially important in light of the fact that total ransomware incidents increased by 74% in 2023 from the previous year.
Stronger compliance: The DSOMM helps organizations align with industry standards and regulatory requirements by making security processes more consistent and auditable.
5 maturity levels of the OWASP DSOMM
The OWASP DSOMM breaks security evolution into five distinct maturity levels, from siloed, reactive practices to advanced, organization-wide adoption. Here’s what each level looks like in practice and how it helps teams benchmark where they are today and identify the steps they need to move forward:
Initial stage: Siloed teams and reactive security
The initial stage represents organizations that use traditional, siloed development approaches where security remains separate from development and operations teams. These environments typically feature waterfall development models with manual processes and defer security considerations until the end of the development cycle, which creates significant risk exposure.
This reactive approach also leads to late vulnerability discovery and costly remediation efforts that slow down releases and strain team resources.
Level 1: Basic understanding of security practices
Level 1 organizations demonstrate basic security awareness but lack systematic implementation. At this stage, their security practices remain inconsistent and informal, and they often vary significantly between projects and development sprints. Additionally, while developers typically have some awareness of basic security threats, the organization hasn’t established systematic approaches for threat identification and mitigation during development.
Implementation
Level 1 implementation establishes foundational security controls across all SDLC phases. These practices create the baseline security posture that’s necessary for advancing to higher maturity levels.
To carry out level 1 implementation, you should conduct ad-hoc threat modeling for high-risk applications using simple checklists like STRIDE. Then, focus on whiteboarding general data flows and high-level system architecture and integrate basic threat modeling into the Definition of Done to consistently address security. These steps help you establish a security-first mindset and lay the groundwork for more advanced practices as the organization matures.
Next, establish basic business continuity and disaster recovery practices (like failovers and backups) to mitigate existential threats. You can do this by defining which systems and data are truly critical, setting clear recovery time and recovery point objectives, and documenting who does what during an outage. Even lightweight runbooks and periodic recovery drills at this stage can dramatically improve your ability to withstand and recover from a major incident.
Below is an implementation checklist that you can use for each SDLC phase:
Infrastructure:
Basic access control lists and multi-factor authentication
Edge encryption for external communication
Development:
Version control for artifacts, applications, and infrastructure code
Prevention of accidental updates or skipped CI/CD checks
Scanning for secrets in code and container images
Enforced commit signing
Testing and verification:
Opportunistic and discretionary testing
Testing of major functionality and for obvious vulnerabilities
Building and deployment:
Automated CI/CD process
Defined build process to reduce manual intervention
Security patch management policy for prioritizing, scheduling, and validating patches
Use of tools like Dependabot for managing third-party dependencies
Monitoring:
Centralized system logging
Simple budget metrics tracking
Basic system metrics monitoring
Level 2: Adoption of basic security practices
This stage focuses on embedding security expertise directly within development teams through designated security champions and formal training programs.
Security champions serve as dedicated liaisons between information security teams and development groups. These individuals receive specialized, ongoing training to become subject-matter experts on current security threats and best practices. Their responsibilities include researching and verifying security defects, prioritizing remediation efforts, and participating in risk assessments and architectural reviews. This embedded expertise improves application resilience while reducing attack surfaces.
Beyond these champions, however, all team members who are involved in software management, development, testing, or auditing should undergo regular security training. Doing this raises their awareness of security threats, best practices, and secure design principles like least privilege, defense-in-depth, and the OWASP Top 10 vulnerabilities.
Implementation
At this stage, organizations begin formalizing security practices and embedding security expertise within development teams. The following controls help them translate growing security awareness into repeatable, team-level processes:
Infrastructure:
Virtualized environments for applications
Automated backups and rollback procedures
Baseline hardening that adheres to security best practices
Separate test and production environments
Resource limitation to prevent denial-of-service issues
Development:
Unit testing for important security features
Basic negative testing to validate failure modes and error handling
Building and deployment:
Virtual environments for managing third-party systems and libraries
Pinned artifacts and a software bill of materials (SBOM)
Nightly builds for base images and use of distroless images
Secrets management through environment variables
Clear decommissioning process for unused resources
Testing and verification:
A shift left in CI/CD pipelines to enforce hardening best practices
Simple visualization and reporting tools for vulnerabilities
Dynamic component coverage, including client-side components
Role-based testing
Exposed services testing
Monitoring and measurement:
Improved visualizations for easier anomaly detection
Proactive alerts for security incidents
Level 3: High adoption of security practices
Organizations at level 3 achieve systematic security integration through standardized processes, automated controls, and comprehensive visibility across all development activities. They also begin aligning cybersecurity with strategic business initiatives—according to a 2024 Deloitte survey, 82% of respondents from “high–cyber-maturity” organizations said they are “very confident” in their C-suite and board’s ability to manage cybersecurity risk.
In this stage, teams formalize practices that embed security thinking into product and feature development. Threat modeling also becomes standardized, including early assessment of business functions during product backlog creation. User stories and abuse stories then ensure that security considerations are top of mind during development.
Beyond these aspects, security education becomes more engaging and team-oriented, with activities like build-it and fix-it contests, lessons-learned sessions, and bug bashes. Security peer reviews are also common here for both infrastructure and application code, and change management processes log system changes to preserve historical context and support continuous improvement.
Implementation
Level 3 focuses on standardization and automation to make security a consistent, measurable part of daily development workflows. The below practices enable teams to scale security efforts while maintaining visibility and control across the SDLC:
Infrastructure:
Secure by default components
Firewalls on both ingress and egress traffic
Web application firewall for input protection
Encryption for internal services (like mTLS)
Immutable infrastructure as code and policy as code with static analysis and tests
Development:
Integration of security checks into IDEs using linting plug-ins
Secure coding guidance in developer workflows (like inline feedback or templates)
Testing and verification:
Enhanced CI/CD pipeline guardrails
Restriction of syscalls using mechanisms like seccomp
Testing for complex authentication and authorization vulnerabilities
Inclusion of internal or hidden functionality in testing
Extension of software composition analysis and static analysis to client-side software
Integration tests for secure communication in distributed architectures
Effective vulnerability management systems
Application hardening, per ASVS level 2
Building and deployment:
Comprehensive SBOM, vulnerability assessment, and code and artifact signing
Encrypted and restricted access to secrets
Rolling deployments to minimize disruptions
Monitoring and measurement:
Reports on patch management and threat response
Improved time to recovery through organized observability data
Azure Security Best Practices Cheat Sheet
As you mature your DevSecOps practices across multi-cloud environments, having quick reference guides becomes essential.
Level 4: Very high adoption of security practices
Level 4 represents advanced security maturity with comprehensive threat modeling fully integrated throughout the software development lifecycle. At this stage, teams demonstrate a deep understanding of security standards and develop sophisticated abuse stories that anticipate complex attack scenarios. CI/CD pipelines also feature comprehensive automated guardrails for greater alignment with security and compliance requirements.
Here, the focus shifts to producing easily understood, operationalized reports and metrics that enable rapid decision-making and efficient remediation processes. That means security is the entire team’s responsibility, with a focus on getting early feedback and fast remediation. Teams also engage in war games and mutually test the security of systems that they’re not directly developing. Additionally, experts regularly come in to educate the team on the latest and best practices.
Implementation
At this level, teams deeply integrate and continuously optimize security across the organization. Check out the implementation chart below to learn how you can support advanced automation, faster feedback loops, and more informed decision-making at scale:
Infrastructure:
Production-like development and test environments
Consistent configuration and policy parity across dev, test, and production
Testing and verification:
Advanced testing techniques (like smoke testing and chaos testing)
Comprehensive coverage using various static analysis and security scanners
Informative, reproducible tickets for easy prioritization and fixing
Building and deployment:
Promotion of the same artifact through lower environments
High release frequency with short-lived artifacts and feature toggles
Monitoring and measurement:
Consolidated and contextualized metrics
Visualization of defense metrics
Level 5: Advanced deployment of security practices at scale
This level enables enterprise-scale security operations through formal processes that maintain high security standards across larger organizations with increased personnel and system complexity. It also focuses on scaling proven security practices through structured governance and collaborative security reviews.
Additionally, regular architectural and code reviews at level 5 involve security experts, developers, and operations teams, who all work together to maintain security excellence at scale.
Implementation
Level 5 extends mature DevSecOps practices across complex, enterprise-scale environments. The controls below focus on governance, consistency, and resilience to ensure that security remains effective as systems, teams, and workloads grow:
Development:
Comprehensive, enforced secure coding guidelines
Regular validation of coding standards through automated checks and peer reviews
Testing and verification:
Tests with telemetry for performance and security insights
Very high test coverage, with almost all defects fixed
Building and deployment:
Deployment of only tested, hardened, and signed artifacts
Advanced deployment techniques (like canary or blue-green)
Monitoring and measurement:
Aggregated and centralized data from multiple sources
Proactive threat response using automated log and metric auditing
How Wiz accelerates DevSecOps maturity
Wiz accelerates DevSecOps maturity progression by providing the necessary integrated security platform capabilities at each maturity level. Our platform also enables organizations to implement DSOMM practices more effectively through automated security controls and comprehensive visibility.
Here are some key alignment areas that Wiz helps with:
Shift left security: Wiz integrates with your CI/CD pipeline, IDE, and version control system to detect and remediate vulnerabilities, misconfigurations, and secrets early in the development process. This proactive approach helps teams prevent security issues from reaching production.
Continuous monitoring: Our platform continuously scans your cloud environment for vulnerabilities, misconfigurations, and other security risks so you can detect and address any deviations from security baselines promptly.
Automation and integration: It also offers built-in integrations with ticketing, workflow, and messaging applications to automatically route security issues to the appropriate teams. This facilitates efficient remediation and policy enforcement.
Unified security policies: Wiz enforces a homogeneous set of security policies across your development pipeline and cloud environment for consistency and to reduce the risk of security drift.
Comprehensive risk analysis: Our security graph models your cloud architecture and identifies the most critical risk combinations to prioritize remediation efforts based on their potential impact.
Ready to learn how Wiz can accelerate your DevSecOps journey? Request a demo today to explore how Wiz can secure your cloud environment.
Secure your SDLC from start to finish
See why Wiz is one of the few cloud security platforms that security and devops teams both love to use.
