ÄûÃʵ¼º½

Assessing DevSecOps Maturity: A Case Study Using OWASP DSOMM

Student: Artem Klimenko
Advisor: Emanuel Bodin
Supervisor: Lachlan Gunn

Abstract: As software organizations transition towards cloud architecture and agile development practices, they face complex security challenges. Modern software development extensively relies on cloud infrastructure, DevOps, microservices, and CI/CD pipelines. While these technologies enable faster release cycles and better scalability, they also introduce broader and more complex attack surfaces. As a result, existing security practices and traditional software development methods are no longer effective in addressing risks emerging from this new technological landscape. DevSecOps has appeared as a response to this problem, embedding security practices directly into the development lifecycle and deployment pipelines. While it has gained substantial attention in both academic literature and industry practice, empirical understanding of how organizations adopt these practices and what factors influence this adoption remains limited. This gap is particularly pronounced for mid-sized organizations that face significant security requirements without having dedicated security teams to address them. This thesis examines the security maturity of a mid-sized software organization using the OWASP DevSecOps Maturity Model. Through an embedded case study involving three development teams, the research draws on interviews, documentation analysis, and technical observations to understand both the current state of DevSecOps practices and the organizational factors shaping them.

The findings reveal a characteristic pattern of asymmetric maturity: the organization demonstrates strong technical implementation with comprehensive security tooling integrated into CI/CD pipelines, yet exhibits significant gaps in process governance and security culture. Security initiatives are predominantly reactive, driven by external compliance requirements rather than proactive risk management. The assessment identified that centralized DevOps functions and technological stack coherence serve as key enablers, while the absence of dedicated security personnel and formalized vulnerability management processes acts as a primary constraint. These findings contribute to the empirical understanding of DevSecOps adoption in mid-sized organizations and offer practical insights for similar contexts where security responsibilities must be distributed across development teams.