DevSecOps maturity self-evaluation   

GOOD

TO_IMPROVE

GOV_CULTURE

COLL_COMM

SEC_INTEG

AUTOM_TOOLS

SEC_TEST

INCID_RESP

METRICS_MEASUR

CONT_IMPR

TRAIN_EDU

IMPLEM_EFFORT

MATURITY_LEVEL

How would you rate your company's experience with DevSecOps processes? 

What is the size of your organization

An onboarding process including secure development is established for new engineers  

How would you rate the level of collaboration between your development, security, and operations teams?

Yes but it changes based on the development team

Yes, developers are empowered to resolve vulnerabilities and deal with false positives

A process is well defined to handle vulnerable code in our product

Assets and products are score with a risk based framework. Security controls are then applied based on the score  

Security is considered only during testing phase

Security is considered during development and testing phase

Security is considered during design, development and testing phase

Security is considered during design, development, testing and post-production phase

How do you ensure that security is integrated into your software development lifecycle?

A Threat Model is conducted for every new service during the design phase

Yes, SAST tools are used by the security team on-demand

Yes, SAST tools are used by developers on their laptops

Yes, SAST tools are automated as part of the CI/CD

SAST tools are used as part of the development cycle

Yes, SCA tools are used by the security team on-demand

Yes, SCA tools are used by developers on their laptops

Yes, SCA tools are automated as part of the CI/CD

SCA tools are used as part of the development cycle

The security team organizes continuous learning and knowledge sharing events for developers

No we don't have a security champions program

Yes but no rewards or trainings are provided 

Yes but Security Champions are overloaded by security and development tasks

Yes, Security Champions have dedicated trainings and time to fulfill security tasks

Do you have a Security Champion program

An external penetration test is performed at least once a year

Only after code is deployed to production

Continuously in a dedicate UAT environment 

Automated pentest tools (DAST) are used in the development cycle

We need a manual security approval to execute the deployment

Do you fail your deployment depending on a security policy ?

Yes, the deployment is automated but blocked by the IaC security scans in case vulnerabilities are identified (guardrails)

IaC (Infrastructure as Code) is used to deploy infrastructure

Yes, in our policies and they are enforced in our issue/vulnerability tracker tool (Jira for example)

SLAs for patching security issues based on criticality are defined as part of the security policy 

Disaster Recovery procedures are

Development is not involved in Incident Response 

Incidents are addressed ad-hoc only after they occur by the security team

An incident response plan is in place and development is part of it

How do you manage security incidents and respond to them

Cycle time, Lead time, deployment frequency, MTTR,MTTD, Number of defects, Automated test coverage, Security findings. How many of these KPIs do you track? 