What Is DSOMM?

DSOMM stands for DevSecOps Maturity Model and is a maturity model that helps organizations integrate and prioritize security measures in modern DevOps processes in a structured way. It was developed by the OWASP community and is maintained as an open source project.

Background & Motivation

From startups to multinational corporations, software development today is largely shaped by agile frameworks, product teams, and DevOps strategies. Time and again, it becomes apparent that security aspects are often neglected—or at least not given sufficient consideration—when DevOps is introduced.

A classic example: Clear security requirements apply in the production environment. However, these are not consistently applied to build pipelines in the continuous integration (CI) environment – especially not when containerization with Docker is used. As a result, Docker registries remain unsecured, which in the worst case can lead to the theft of a company's entire source code.

What Does DSOMM Do?

The DevSecOps Maturity Model shows which security measures are possible and sensible in DevOps environments and offers a prioritization aid for implementing them step by step. It combines security by design with automated DevOps practices and gives teams clear guidance on how security can be embedded in agile processes in a sustainable manner.

Concrete Measures – an Example

DevOps strategies can also be used to improve security:

• Every component of a Docker image – from application to operating system libraries – can be automatically checked for known vulnerabilities (CVEs).
• CI/CD pipelines can be designed so that security checks are an integral part of every deployment.
• Security is no longer seen as an obstacle, but as a continuous companion in the development process.

Maturity Levels & Structure

DSOMM is divided into different security areas (dimensions), e.g.:

• Secure coding practices
• CI/CD pipeline security
• Infrastructure as code security
• Dependency management
• Secrets management
• Monitoring & incident response

There are several maturity levels for each of these categories, such as:

• Level 0: No measures in place
• Level 1: Initial manual controls
• Level 2: Partially automated processes
• Level 3: Fully integrated and automated security mechanisms

Why Is This Important?

Today's attackers are intelligent, creative, and technologically well equipped. Security measures must therefore not only take effect at the end – they must be incorporated proactively and at an early stage.
DSOMM offers concrete principles and measures that organizations can use to arm themselves against modern threats – tailored to their individual maturity and capacity.

Conclusion

The DevSecOps Maturity Model (DSOMM) is a practical tool for strategically and systematically embedding security into DevOps processes. It helps identify typical security gaps such as insecure Docker registries or missing vulnerability scanning – and remedy them in a targeted manner through graduated measures.