Nexastack's DevSecOps Maturity Assessment

1/12

DevSecOps Capabilities Assessment

Are Security Team representatives involved in the development of new applications and services?

Always

Never

Sometimes based on criticality, they are involved in earlier phases of development.

Does your security, governance and compliance function embrace Agile and DevOps Principles?

Yes

DevSecOps Capabilities Assessment

A least-privilege model is enforced for processes running on shared infrastructure.

Yes

Security-approved OS, software versions and frameworks are used to compose the required infrastructure. Security-related controls such as ACLs and FIM are defined as a part of infrastructure where applicable.

Yes

DevSecOps Capabilities Assessment

IaaS or PaaS service provider security controls are validated to ensure that they meet business requirements in their domains of the shared security model.

Yes

Does your Development Teams follow a consistent set of secure Coding Best Practices including OWASP coding rules?

Yes

DevSecOps Capabilities Assessment

Are Coding Standards enforced in CI/CD Pipeline using automated tools and scanning?

Coding Standards are enforced with tools and are widely adopted.

No Coding Standards are not enforced yet using an automated way.

Tools are used for Coding Standards but adoption is limited.

Are Code Reviews done as a part of the Software Development Lifecycle? Before code is pushed to master or Ready for Release, Is it reviewed?

No Code Review.

No manual Code Review but we have Code Quality Gates present in Pipeline.

Yes we combine Code Review and Automated scanning of Code in Pipeline.

DevSecOps Capabilities Assessment

Do you use automated code scanning tools in Pipeline based on Compliance Requirements such as PCI DSS?

Yes

Sometimes

Do you provide feedback lessons learnt from previous security incidents to teams ( eg. exploited bugs and flaws ).

Yes

DevSecOps Capabilities Assessment

At what stage in your development process your organisation embedded security controls and testing?

Design

Development

Production

Throughout the whole Process

DevSecOps Capabilities Assessment

Does your organization check third-party software components and vulnerabilities contained in them?

No, we do not have meaningful checks and controls for third-party software.

Yes, we conduct manual identification and remediation of vulnerabilities on third-party software.

Yes, we have automatized this process.

DevSecOps Capabilities Assessment

Have you incorporated threat-modelling processes in your DevSecOps in order to get your developers thinking about their software from the perspective of the attacker?

No, we do not have that level of maturity yet.

Yes, we leverage threat-modelling processes within our DevSecOps.

Are you allocating the time and investment needed to train your development team on secure coding?

Not at the moment.

Yes, but not as much as we probably should.

Yes, training our developers on security is an absolute priority for us.

DevSecOps Capabilities Assessment

Common security components such as identity, authorization, key management, audit/log, cryptography, protocols, etc. are maintained, published, readily available and used within module development.

Yes

Binary artifacts are digitally signed and stored in secure repositories.

Yes

DevSecOps Capabilities Assessment

A software version management system is used to manage versions of all changes to source code, executable images and tools used to create and test the software.

Yes

Does your Release Regression Tests include Security Tests?

Yes

DevSecOps Capabilities Assessment

Test results that indicate possible security concerns are tagged for security analysis.

Yes

An accurate inventory of all software packages and version information is documented via Infrastructure as Code. Automated detection is used to identify whether any of the packages have known CVEs associated and define specific remediation actions.

Yes

DevSecOps Capabilities Assessment

If containers are used for deployment, images are scanned for security issues automatically in Pipeline and fixed based on CVEʼs score.

Yes

Partially implemented

Submit Your Details to See Results

What is your First Name ?

What is your Last Name ?

What is your Email id ?

In which company you work in ?

Thank you for taking the DevSecOps Maturity Assessment

We will get back to you with complete breakdowns for each competency area and suggestions on how to advance to the next level.

0/80

Medium

Your organizations has optimized business outcomes and has best team collaboration. You are leading the industry.

Elite teams are twice as likely to meet or exceed their organizational performance goal