This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP DevSecOps Maturity Model

Jump to: navigation, search
OWASP Project Header.jpg


From a startup to a multinational corporation the software development industry is currently dominated by agile frameworks and product teams and as part of it DevOps strategies. It has been observed that during the implementation, security aspects are usually neglected or are at least not sufficient taken account of. It is often the case that standard safety requirements of the production environment are not utilized or applied to the build pipeline in the continuous integration environment with containerization or concrete docker. Therefore, the docker registry is often not secured which might result in the theft of the entire company’s source code.

The DevSecOps Maturity Model, which is presented in the talk, shows security measures which are applied when using DevOps strategies and how these can be prioritized. 

With the help of DevOps strategies security can also be enhanced. For example, each component such as application libraries and operating system libraries in docker images can be tested for known vulnerabilities. 

Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.


The projects code is licensed under GNU GENERAL PUBLIC LICENSE Version 3. The intellectual property is licensed under Attribution-ShareAlike.


Get more visibility.

Add mapping to OWASP SAMM as soon as a stable version 2 is out.

Getting Involved

In case you have ideas for improvements for the application, please create a pull request.

In case you have ideas to adjust the model, please create a pull request with appropriate description. In a maturity model, a first check of the new/changed activities against the ease of implementation and the value in the same sub dimension should be performed. Afterwards, the ease of implementation and the value needs to be compared against activities in the same dimension and other dimension. A documentation of the comparison in the pull request needs to be added.

Project Resources

View the model


DevSecOps Maturity Model

Continuous Application Security Testing for Enterprise (with DevSecOps Maturity Model)

Project Leader

Timo Pagel

Related Projects



Project Type Files DOC.jpg
Incubator Project Owasp-builders-small.png
Creative Commons Attribution ShareAlike 3.0 License