DevSecOps Assessment

Contact Information
People & Culture
Our leadership enables regular sharing and collaboration across operations, development, and security teams.This question is required.
We have established an effective onboarding process for new engineering hires which enables them to ramp up quickly.
Team members know who to report security concerns to
Team members are able to discuss burnout and are empowered to take mitigation measures
Plan & Develop
Risk assessment or threat modeling is conducted for every new service as part of the design phase.
We perform static code analysis (e.g., static application security testing, or SAST) during the development phase to prevent commits of vulnerable code.
Engineers spend the majority of their time on new features and improvements rather than unplanned / bug fix work.This question is required.
We prioritize reducing our technical debt across applications and infrastructure.This question is required.
Build & Test
We perform dynamic code scanning (e.g., dynamic application security testing, or DAST) on committed code to stop the packaging of vulnerable code.This question is required.
We validate builds and signatures to block unsigned or vulnerable packages.This question is required.
Pull requests made to production branches are always subject to automated tests and approval/review.This question is required. 
We continuously test the core business functionality of our applications.
Release & Deploy
Our tooling allows us to fully automate deployments and releases into production.
We push code into production at a frequency that gives us a competitive edge in our industry.
We have decided on and implemented a set of criteria for failing a new deployment based on security posture.
We have the ability to quickly roll back or forward fix a failed deployment.This question is required. 
Our infrastructure is managed by configuration management / orchestration tools and is committed to a code repository.This question is required. 
We have a capacity planning process for our infrastructure that factors in growth and seasonality.
We have the ability to auto-scale infrastructure and select services when certain conditions are met (e.g., an unexpected influx of legitimate requests).This question is required.
Our production environments are highly available, spanning multiple availability zones, regions, or cloud providers.This question is required.
We run chaos tests or game days on our infrastructure and applications in production.
We conduct red team tests/adversary simulation to improve our security detection and operations capabilities.
We have an established SLA for patching systems found to be vulnerable.
We have a disaster recovery (DR) strategy in place that is tested at regular intervals.
Observe & Respond
It is easy for teams to find all relevant observability data pertaining to the health and security of an application or platform.
We have a mature metadata model, via the use of tags or labels, which helps us quickly search, filter, and correlate relevant monitoring data.
Using SLOs and error budgets is our preferred methodology for measuring infrastructure and service reliability.
Our organization has visibility into end-to-end customer journeys.
Security metrics are defined and visible to development, security, operations, and senior leadership teams across 100% of services.
We continuously scan our production infrastructure and applications for vulnerabilities and misconfigurations.  
Our team is able to quickly detect and remediate incidents.
We create blameless post-mortems / root cause analyses in a timely manner with clear descriptions of what happened and plans to prevent similar incidents from occurring.
Demographic Questions
What's your role?
What's your team or discipline?
What's your industry?
What's your company size?
Create Your First Online Survey