With DevOps teams moving at ever greater speed, it’s vital for security teams to be deeply involved at all stages of the software development and delivery lifecycle. Breaking down silos between development, operations, and security teams ensures that security considerations are not overlooked, that vulnerabilities are caught early, and that security checkpoints do not slow down the delivery process.
Technology teams know they need mature DevSecOps practices in order to rapidly deliver high quality, secure, and reliable services, but it can be difficult for them to assess their progress and identify the steps they need to take to reach the next level of maturity. That’s why we developed a DevSecOps Maturity Model, a structured framework that helps organizations answer three key questions:
- What is our current DevSecOps maturity?
- What do we want our DevSecOps maturity to be?
- How do we bridge the gap between where we are now and where we want to be?
In this post, we will discuss the philosophy behind our DevSecOps Maturity Model and introduce our 36-question DevSecOps self-assessment, which enables teams to gauge their current level of maturity and begin setting goals for the future.
Datadog’s DevSecOps Maturity Model is based on our technical team’s collective experience working with thousands of customers to drive DevSecOps practices over the past ten years. We find that many DevSecOps models focus almost exclusively on the “Sec” in DevSecOps, but we take a more holistic approach. We believe that any DevSecOps maturity model should cover the key practices that enable development, security, and operations teams to come together to achieve their common goal of delivering high quality services and iterating on them frequently.
The DevSecOps Maturity Model covers more than 30 key capabilities across two major areas: People & Culture (the foundation of DevSecOps) and the phases of the end-to-end DevSecOps lifecycle (Plan & Develop, Build & Test, Release & Deploy, Operate, Observe & Respond). For each capability, we identify four major levels of maturity: Beginner, Intermediate, Advanced, and Expert. For example, an organization that consistently patches systems very quickly after vulnerabilities are detected—but lacks an established patching SLA—would fall into the “Advanced” (but not the “Expert”) category in the Patching competency.
To help you answer the first key question—What is our current DevSecOps maturity?—we developed a 36-question DevSecOps self-assessment. The self-assessment is a quick (10 minute) diagnostic tool that provides a rough gauge of an organization’s current DevSecOps maturity. After you complete the assessment, the results page will display an overall maturity level, along with breakdowns for each competency area and suggestions on how to advance to the next level.
From there, we recommend downloading the DevSecOps Maturity Model white paper, which contains the full Maturity Model with granular detail on each competency. Technical teams can leverage this information to define their target maturity level and prioritize initiatives to get there.
The wide-spread adoption of agile workflows has made security a crucial part of the development and delivery process, and we created our DevSecOps Maturity Model to help teams tackle this organizational shift. The first step is to measure your current DevSecOps maturity, which you can do in ten minutes by taking the self-assessment.
Datadog’s unified platform enables companies to break down organizational silos while securing their entire environment. If you’re not yet a Datadog customer, you can get started with a 14-day free trial.