DevSecOps is in many ways another level of DevOps maturity for an enterprise. Executive management and other stakeholders understand the concept of a maturity model, making it a helpful way to explain the value of this shift. Following a maturity model also helps you tell a story that includes the people, process, and technology changes that come with a DevOps-to-DevSecOps transformation.
Here are four typical levels of DevSecOps maturity:
Level 1: pre-DevOps (no automation)
At this level, developers perform every task manually, including creating and testing applications and systems. Team management, processes, and application security are still at a very ad hoc level.
Take the extra step to capture your lessons learned and the challenges of your pre-DevOps development era. You need to know your history, so you don't repeat it in the future.
Level 2: early DevOps/DevSecOps (lightweight automation)
Development teams standardize on some form of a DevOps toolchain to implement Infrastructure-as-Code and Compliance-as-Code. DevSecOps adoption is at the department or even just at the team level.
Mentioning DevOps and DevSecOps interchangeably in this phase is deliberate. Some organizations will fast-forward from traditional waterfall development straight to a DevSecOps model. At level 2, DevOps/DevSecOps and lightweight automation is the domain of innovative and more forward-thinking development teams. Developers are driven to find a better way to do things, either as a result of their own initiative or because a customer is asking for a DevOps approach.
Making it from level 2 to level 3 depends upon communicating and selling the successes of your early adopters of DevSecOps to the rest of your organization. Be sure to keep in touch with your early adopters and encourage them to share their DevOps and DevSecOps wins with the rest of their peers. Early win stories resonate much better than managerial mandates.
Level 3: DevOps to DevSecOps transition (advanced automation)
DevSecOps grows into a corporate or agency-wide strategy. With organization-wide support, an automation strategy for application and infrastructure development and management takes form. DevOps teams can now improve their existing processes using containers, Kubernetes (K8s), and public cloud services.
Bottom line: Organizations at this advanced phase of DevSecOps maturity are deploying applications at scale.
Level 4: full DevSecOps (full automation)
Such an expert state of DevSecOps maturity will be elusive for all but the most prominent and well-funded enterprises, those who must routinely meet the most strict cybersecurity and compliance demands. An organization that reaches this level of maturity is API and cloud-native first. These organizations are also implementing emerging technologies such as microservices, serverless, and artificial intelligence/machine learning (AI/ML) to strengthen their application development and infrastructure security.
Only when you track the maturity of your processes, team culture, and tooling do you get the best current and future-state views of your organization's progress to DevSecOps. The pandemic pushed many teams to remote work in the past 18 months. As a result, teams had to mature their processes and mature them quickly to ensure their organization could still deliver to their customers. DevSecOps brings together the very cultural, collaboration, and toolchain improvements that development teams require to deliver secure and compliant software in their new world of work.