OWASP DSOMM
a maturity model for the DevSecOps pipeline

OWASP DSOMM: a maturity model for the DevSecOps pipeline

OWASP DSOMM (DevSecOps Maturity Model) is the open framework that measures the maturity of a DevSecOps programme across four dimensions and sixteen sub-dimensions, on a four-level scale. Where OWASP SAMM measures the AppSec function at the organisational layer, DSOMM measures what the pipeline and the runtime actually do: how builds are produced, how artefacts are signed, how secrets are handled, how the runtime is hardened, and how the testing and monitoring planes operate. The two are complementary rather than competing: SAMM is the organisational maturity model the AppSec function is built against; DSOMM is the pipeline maturity model the platform and the runtime are built against.

DSOMM is most useful when an organisation needs to talk about DevSecOps in operational terms rather than aspirational ones. A statement like “we have a mature DevSecOps programme” is unfalsifiable. A statement like “Build and Deployment is at Level 3, Culture and Organization is at Level 2, Implementation is at Level 3, and Information Gathering is at Level 2, with eight sub-dimensions on a roadmap to Level 4 over the next two cycles” is operational. The DevSecOps enterprise guide covers the programme thinking behind that statement; DSOMM gives it a scorecard.

The four DSOMM dimensions and the sixteen sub-dimensions

DSOMM organises its model into four dimensions, each containing three or four sub-dimensions, for a total of sixteen sub-dimensions. Each sub-dimension carries a catalogue of activities and a per-activity maturity level. The dimensions are the unit of leadership communication; the sub-dimensions are the unit of programme planning; the activities are the unit of measurement.

For programmes that run authenticated DAST, SAST, and SCA as part of Information Gathering (Test and Verification) and Build and Deployment (Build) activities, the authenticated scanning and code scanning features run those tests against the same engagement record that carries the DSOMM scorecard, with repository connections binding each scan back to a specific commit on a specific branch so the activity-observed claim is backed by live pipeline output rather than a screenshot of a dashboard.

The four maturity levels: from ad hoc to continuously verified

Each of the sixteen sub-dimensions is scored on a four-level scale. Level 1 (Basic understanding of security practices), Level 2 (Adoption of basic security practices), Level 3 (High adoption of security practices), and Level 4 (Very high adoption of security practices) capture an increasingly disciplined and continuously verified pipeline posture. The progression is operational: Level 1 looks like a single individual running the practice on a manual cadence; Level 2 looks like a documented programme with a few teams adopting it; Level 3 looks like a standardised practice every team follows with regular evidence; Level 4 looks like a continuously verified practice with measurable outputs and breaking-build gates.

For deeper context on the findings discipline that backs Information Gathering (Test and Verification) and Implementation (Application Hardening) activities, see the DevSecOps scanning workflow and the secret scanning remediation workflow, which together cover how scanner output becomes defensible activity-observed evidence at DSOMM measurement time.

How DSOMM sits next to OWASP SAMM, BSIMM, and NIST SSDF

DSOMM is rarely used in isolation. It is the pipeline-and-runtime measurement layer that pairs with organisational maturity models (SAMM), descriptive benchmarks (BSIMM), and regulator-facing practice catalogues (NIST SSDF). The contrast below is a working view, not a buyer comparison: the practitioner question is which frameworks to pair DSOMM with, not which to pick instead of it.

Programmes that already operate under a prescriptive secure-development standard typically pair DSOMM with BSIMM as the descriptive benchmark for activity prevalence, NIST SSDF (SP 800-218) as the regulator-facing practice list, and OWASP ASVS as the per-application verification standard. The pipeline maturity model is the operational layer; SAMM is the organisational layer; SSDF is the regulator layer; ASVS is the per-application verification layer; and the same engagement record can carry all four.

DSOMM by role: AppSec, platform engineering, CISOs, and consultancies

DSOMM reads differently depending on which side of the programme you sit on. The pipeline-and-runtime focus makes it engineering-friendly; the four-level scale makes it leadership-friendly; the activity catalogue makes it audit-friendly; the annual cadence makes it programme-friendly.

The persona-specific entry points are SecPortal for application security program leads (the canonical owner of the annual DSOMM measurement cycle and the per-sub-dimension roadmap that sits underneath it), SecPortal for DevSecOps teams, SecPortal for AppSec teams, SecPortal for security engineering teams, SecPortal for platform engineering teams, and SecPortal for CISOs. Each anchors a different view of the same DSOMM measurement record.

The annual cycle: scope, score, plan, re-measure

A DSOMM measurement is most useful when it is run as a structured annual cycle rather than a one-time engagement. The cycle has four phases: scope the sub-dimensions the programme is in scope for, score each sub-dimension against the activity catalogue with evidence per activity, plan the activity additions for the next cycle with named owners and timelines, and re-measure the following year on a comparable basis. The deliverable is not the scorecard. The deliverable is the gap between current and target maturity and the activity additions the programme commits to.

For translating activity additions into structured remediation work that supports the Information Gathering (Test and Verification) and Implementation (Application Hardening) practices, see the remediation tracking workflow, the vulnerability finding state lifecycle, and the SDLC vulnerability handoff workflow, which together cover the closure mechanics that turn a DSOMM activity addition into a sustained pipeline change rather than a checkbox.

Where SecPortal fits in a DSOMM measurement cycle

SecPortal is the operating layer for a DSOMM measurement cycle. The platform holds the scope, the per-activity evidence, the per-sub-dimension score, the per-dimension roll-up, the target level per sub-dimension, the next-cycle activity additions, and the re-measurement record on one engagement, so the measurement is a live record rather than a long email thread with attached spreadsheets. SecPortal does not ship a native DSOMM-only scoring engine; it holds the DSOMM measurement evidence on the same structured record that carries findings, retests, scanner output, AI reports, and audit evidence. For consultancies running DSOMM-style assessments on behalf of multiple clients, the security consulting workspace bundles the measurement record with branded client portals, so each client sees their own live activity catalogue and maturity position rather than a frozen PDF.

Looking for the engagement workflow that supports the measurement record itself? The DevSecOps scanning use case and the code review use case capture how SecPortal turns Build and Deployment (Build) and Information Gathering (Test and Verification) evidence into structured records covering scope, scanner output, findings, retests, and the deliverable. For onboarding new applications into the DSOMM scope, see the security onboarding for new applications workflow.

For programme-level context on how pipeline maturity measurements fit into the wider security delivery operating model, see the security workflow orchestration research, the vulnerability management programme maturity model, and the security champions program guide, which together cover the operating-model thinking that turns a DSOMM measurement into a sustained pipeline programme rather than an annual exercise that ends with the slide deck.