At Cevo, we’re passionate about helping organisations accelerate their delivery of value through DevSecOps transformations. Our DevSecOps Maturity Assessment (DOMA) framework provides a flexible foundation for assessing maturity across people, process, tools and architecture, allowing us to tailor engagements to specific customer needs and identify opportunities for improvement.
Recognising the critical importance of security in today’s landscape, achieving comprehensive DevOps maturity depends on integrating security seamlessly into the entire software lifecycle – the essence of DevSecOps.
To facilitate this, Cevo leverages the flexibility of DOMA by integrating the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) for assessments that require a focus on software security assurance. This DOMA and SAMM approach allows us to provide customers with a comprehensive, measurable and actionable understanding of their specific DevSecOps capabilities and posture.
Why integrate OWASP SAMM into DOMA?
While Cevo’s DOMA provides invaluable context about how an organisation operates, OWASP SAMM brings a structured, measurable and globally recognised framework focused specifically on software security assurance. Integrating the two allows us to move beyond assessing DevOps efficiency to evaluating secure DevOps maturity. Key benefits include:
1. A structured & measurable security framework
SAMM provides a model with 15 distinct security practices, such as Threat Assessment, Secure Build, and Security Testing, covering the full software development lifecycle (SDLC). Unlike generic checklists, SAMM defines specific activities and measurable maturity levels (0-3) for each practice. This allows us to systematically evaluate security capabilities, track tangible progress over time, and leverage the data framework provided by the OWASP SAMM Benchmark project, which aims to enable benchmarking against industry peers as its dataset grows.
2. Enabling a risk-driven approach
Security isn’t one-size-fits-all. SAMM is designed to be flexible and risk-driven. By assessing maturity across practices (such as Threat Assessment, Security Testing, or Secure Build), we can help customers identify their specific risk exposure and prioritise security efforts accordingly. Instead of aiming for maximum maturity everywhere (which is often impractical), we can collaboratively define realistic target maturity levels for different practices based on the customer’s unique context, risk appetite and business goals, ensuring security investments deliver maximum value.
3. Creating actionable security improvement roadmaps
A SAMM assessment doesn’t just highlight where improvement is needed; it illuminates the path forward. The detailed structure of SAMM, including its practices, activities and maturity criteria, allows us to pinpoint specific gaps and create detailed, phased roadmaps for improvement. This mirrors DOMA’s core value of identifying actionable improvement opportunities, now with enhanced granularity for security practices. These security-focused actions can then be integrated seamlessly into the broader DevSecOps transformation initiatives identified through the DOMA context, ensuring security improvements are practical and sustainable.
4. Holistic view: Integrating security within the DevOps context
This is where the power of using OWASP SAMM truly shines. The SAMM framework tells us what security practices need attention, while the DOMA pillars provide the crucial context to understand why gaps exist and how best to address them. Is low security testing maturity due to lack of skills (people), poor pipeline integration (process), inadequate tooling (tools), or complex legacy systems (architecture)? By analysing SAMM findings through the DOMA lens, we can develop recommendations that address both the specific security practice and the underlying organisational factors, leading to more effective and lasting improvements.
How Cevo implements DOMA and SAMM
Our enhanced assessment process leverages the strengths of both frameworks:
Scoping: We work with customers to define the appropriate scope – whether it’s a single team, a product line or the entire organisation.
Information gathering: We conduct interviews and workshops with relevant groups – from delivery squads (providing the ground-truth) to central teams like risk, architecture, cybersecurity, and IT operations (providing the strategic/ governance view).
Assessment: We use tailored question sets based on SAMM v2, evaluating evidence against the official criteria to determine maturity levels across all 30 activity streams. We also incorporate qualitative probes, including specific security culture questions, to enrich our understanding of the DOMA ‘people’ pillar context.
Analysis and reporting: We analyse the SAMM scores within the context of the customer’s unique people, process, tools, and architecture (DOMA). Our reports provide not just maturity scores but also qualitative insights, gap analysis against targets (if defined), and a prioritised, actionable roadmap combining specific security improvements with relevant DevOps enhancements.
Conclusion: Building secure foundations for DevOps success
Integrating OWASP SAMM into our DOMA framework empowers Cevo to provide a more robust, measurable and actionable assessment of an organisation’s true DevSecOps maturity. It enables us to help our customers build security into their software delivery lifecycle – not just bolt it on afterwards. By understanding both the ‘what’ of security practices (SAMM) and the ‘how/why’ of the organisational context (DOMA), we can develop targeted strategies that enhance security and resilience without sacrificing agility.
Ready to understand your organisation’s DevSecOps maturity? Let’s talk about how a Cevo DevSecOps Maturity Assessment can help you build a secure foundation for the future.
