Devsecops Maturity Model: A Blueprint For Assessing and Advancing Your Organization'S Devsecops Practices
Devsecops Maturity Model: A Blueprint For Assessing and Advancing Your Organization'S Devsecops Practices
DevSecOps
Maturity Model
A blueprint for assessing and advancing your
organization’s DevSecOps practices.
datadog.com
DevSecOps Maturity Model 2
contents
1
Three key DevSecOps questions for leaders 4
to answer
2
The DevSecOps Maturity Model 6
3
Implications for your DevSecOps Journey 11
4
The Business Value of DevSecOps 14
5
Getting Started 16
Authors 16
About Datadog 17
datadog.com
DevSecOps Maturity Model 3
datadog.com
DevSecOps Maturity Model 4
EXPERT
ADVANCED
We want to get here
INTERMEDIATE
We need to get here first
BEGINNER
We’re here
1
https://martinfowler.com/bliki/MaturityModel.html
datadog.com
DevSecOps Maturity Model 5
Methodology
Our technical enablement teams work hand in hand with customers to
help drive their DevSecOps transformations. In addition, we have more
than 10 years of experience helping over 14,000 companies drive DevOps
(and now DevSecOps) practices. As a result, we’ve observed companies
at all levels of DevSecOps maturity and seen their paths of progression.
We’ve built a DevSecOps maturity model that distills these customer
experiences into efficient paths that any organization can replicate.
The increasing velocity of DevOps teams has opened the door for two
complications: (1) security issues are overlooked because DevOps teams
are mainly concerned with functional and performance characteristics
of software, not security, and (2) security is a bottleneck (or ignored)
because security teams still exist in a separate silo with separate tools,
culture, and processes from their DevOps counterparts (who are also
moving with increasing speed).
datadog.com
DevSecOps Maturity Model 6
R I S SE
SK S
SE CAN
A
ER
AN R E
EL T
CU
OD EA
S
SF
TR ECU
RI
M HR
SM
T
S
T
Y
EN
T
SEC
OP
DE
SE
SE ATC
DI RE
EL
CU H
P
EA
PL
G
CO ECU
PL
N
RI
V
OY
TY
S
L
A
DE
RE
N
DEV OPS
E
SE S C
AT
BU
CU OD
A
T TY
OB
RI E
ER
DI RI
I
TY
LD
AU ECU
SE
ST
OP
S
RV
TE
SA
E
GN TA
ST
IT ITY
SE NA
SI IGI
OR
CU LY
ON R
A
D
M ECU
RI SIS
DA
TY
S
TE EN
ST
ST
P
datadog.com
DevSecOps Maturity Model 7
The Competencies
The DevSecOps Maturity Model covers six key competencies:
datadog.com
DevSecOps Maturity Model 8
– Build & Test: This area covers testing processes and automation,
quality assurance, code scanning techniques, and build and
signature validation.
The Model
In the matrix below, each of the six competency areas encompasses a
series of separate competencies, at least two of which are a security-
related competency. For each competency, we identify four levels of
maturity: Beginner, Intermediate, Advanced, and Expert.
datadog.com
DevSecOps Maturity Model 9
Plan & Develop – Risk and security – Limited risk – Threat modeling – Extensive threat
not considered assessment and risk modeling/risk
– High technical – Moderate assessments assessment
debt technical debt – Low technical – Minimal technical
– Excessive bug – Moderate bug fix debt debt
fix work work – Low bug fix work – New feature focus
– Code not – Some code – All code validated – All code validated
validated validation automatically
Build & Test – Manual testing – Partial test – High test – Complete test
– No code scanning automation automation automation
datadog.com
DevSecOps Maturity Model 10
Observe & Respond – No SLOs formed – Basic SLOs formed – SLOs & error – SLOs & error
– No vulnerability/ – Partial budgets favored budgets drive
misconfiguration vulnerability/ – Significant decisions
scanning misconfiguration vulnerability/ – Extensive
– No security scanning misconfiguration vulnerability/
metrics defined – Some security scanning misconfiguration
metrics defined & – Security metrics scanning
– Siloed telemetry
visible defined & visible – Security metrics
– User journeys for most services defined & visible
unknown – Some common
observability data – Common for 100% of
– Excessive MTTD sets observability data services
and MTTR platform – Standardized
– Basic
– No post-mortems understanding of – Detailed user metadata model
user experience journey visibility – Complete user
– Moderately high – Moderate-to-low journey visibility
MTTD and MTTR MTTD and MTTR – Very low MTTD
– Basic post- – Detailed post- and MTTR
mortems mortems – Clear, blameless
post-mortems
datadog.com
DevSecOps Maturity Model 11
3 Let’s return to the three key questions for technical leaders (Where is my
organization? Where do we want to be? How do we get there?), and discuss
Implications for
how the Maturity Model can help answer them.
your DevSecOps
Journey
Where is my organization now?
The DevSecOps Maturity Assessment
Technical leaders need to calibrate where their organizations are on the
DevSecOps maturity curve. Towards that end, we’ve developed an online
self-assessment tool based on the DevSecOps Maturity Model. The
assessment is 36 questions and takes 10 minutes to complete.
Maturity by Competency
Culture
Overall Maturity
EXPERT Operate Build & Test
ADVANCED
INTERMEDIATE
BEGINNER
Release & Deploy
Based on the output of the assessment, leaders can see at a glance where
there is room for improvement and investment.
datadog.com
DevSecOps Maturity Model 12
Culture
Operate
Overall Maturity
datadog.com
DevSecOps Maturity Model 13
It’s also important to remember that state of the art DevSecOps practice is
constantly evolving and advancing. An “Advanced” rating one year might
become an “Intermediate” rating the next. For this reason, it’s important
for both maturity models to stay up-to-date and for leaders to continually
reassess their organizations using the latest models.
The cells in the maturity model show the incremental steps leaders can
take to move from one level to the next.
Culture Q2 Owner Q3
Operate Q1 Owner Q2
datadog.com
DevSecOps Maturity Model 14
datadog.com
DevSecOps Maturity Model 15
datadog.com
DevSecOps Maturity Model 16
Technical leaders can and should measure their DevSecOps journeys using
the above metrics. These metrics are essential for demonstrating progress
throughout the organization, and for justifying the investments necessary
to progress along the maturity curve.
datadog.com
DevSecOps Maturity Model 17
About Datadog Datadog is the monitoring and security platform for cloud applications.
Our SaaS platform integrates and automates infrastructure monitoring,
application performance monitoring and log management to provide
unified, real-time observability of our customers’ entire technology stack.
Datadog is used by organizations of all sizes and across a wide range of
industries to enable digital transformation and cloud migration, drive
collaboration among development, operations, security and business
teams, accelerate time to market for applications, reduce time to problem
resolution, secure applications and infrastructure, understand user
behavior and track key business metrics.
datadog.com
DevSecOps Maturity Model 18
Appendix:
Detailed Maturity Model
datadog.com
DevSecOps Maturity Model 19
1. Culture
Team health Team members Team members Team members Burnout is rare,
not able to discuss openly discuss are able to discuss but is openly
burnout and not burnout, but are not burnout and are discussed and
empowered to take empowered to take empowered to take quickly addressed.
mitigation measures. mitigation measures. mitigation measures.
datadog.com
DevSecOps Maturity Model 20
Risk assessment Security and risk are Security and risk Risk assessment or Risk assessment or
not considered at considerations threat modeling is threat modeling is
the beginning of the are introduced conducted at the used for every new
development cycle. in middle-to-late beginning of some service as part of
stages of the but not all services the design phase.
development cycle. at the design stage.
Code validation Code is not validated Code is validated Static code Static code
after development. partially and analysis (e.g. Static analysis (e.g. Static
manually after application security application security
development. testing, or SAST) testing, or SAST) is
is performed on performed during the
some code to development phase
prevent commits of to prevent commits
vulnerable code. of vulnerable code.
datadog.com
DevSecOps Maturity Model 21
Test automation Manual testing Testing is partially Testing is mostly Testing is fully
is performed by automated automated. automated and
dedicated teams. with significant various testing
manual testing. regimes are applied
at all stages of
the development
lifecycle.
Code scanning Committed code is Some code is Dynamic code Dynamic code
not scanned to stop scanned to stop scanning (e.g. scanning (e.g.
the packaging of the packaging of Dynamic application Dynamic application
vulnerable code. vulnerable code. security testing, or security testing, or
DAST) is performed DAST) is performed
on some committed on all committed
code to stop the code to stop the
packaging of packaging of
vulnerable code. vulnerable code.
Build validation Builds and signatures Builds and Most builds and Builds and signatures
are not validated to signatures are signatures are are automatically
block unsigned or partially validated automatically validated to
vulnerable packages. to block unsigned or validated to block unsigned or
vulnerable packages. block unsigned or vulnerable packages.
vulnerable packages.
Quality assurance Core business Infrequent or The core business The core business
functionality is manual testing functionality of functionality of
not tested. of core business many applications all applications is
functionality. is frequently and continuously and
automatically tested. automatically tested.
datadog.com
DevSecOps Maturity Model 22
Deployment Remediating a failed Teams have the Teams can quickly Teams are biased
remediation deployment is a ability to quickly roll back a failed to forward fixing
time consuming and roll back a failed deployment but deployment issues,
manual process. deployment. often make a and are capable of
forward fix instead. doing so quickly.
datadog.com
DevSecOps Maturity Model 23
5. Operate
Capacity planning Long capacity Capacity planning Capacity planning Capacity planning
planning cycles leverages OpEx leverages OpEx leverages OpEx and
(annual or quarterly) budget, but and informed based on seasonality
leveraging CapEx limited insight by seasonality and growth data.
budget. into seasonality and growth.
and growth.
datadog.com
DevSecOps Maturity Model 24
Service level No SLOs formed. Rudimentary SLOs SLOs and error SLOs and error
objectives (SLOs) formed which may budgets are primary budgets are the
not reflect user indicators of primary driver
experience. service reliability. of engineering
decisions.
Vulnerability & No scanning. Some infrastructure Most infra and Continuous scanning
misconfiguration and applications apps scanned. of all infra and apps.
scanning scanned.
Security monitoring Security metrics (e.g. Security metrics are Security metrics Security metrics
failed logins) not partially defined defined and partially defined and fully
defined or visible. and visible. visible for 100% visible for 100%
of services. of services.
User experience No visibility Partial visibility High visibility into Full visibility into all
into end-to-end into some customer most customer customer journeys.
customer journeys. journeys. journeys.
Data model Data is uncorrelated, Some common Common data Mature metadata
& access and ingested datasets, but not platform with model, via the use of
into separate easy to correlate, a metadata tags or labels, that is
systems owned by search, and filter. model, usable by usable by all teams.
separate teams Frequent context most teams.
and not shared. switching.
datadog.com