Our story with DevSecOps Explorer started the day I joined Smithy. At the time, my cybersecurity experience was basically limited to validating user inputs – nowhere near the level of work being done at Smithy. So during onboarding, I found myself buried in articles on SAST, DAST, IAST, SCA, and dozens of unfamiliar acronyms and vendor names. It was overwhelming.
It became immediately clear that even seasoned security experts – let alone newcomers – face an overwhelming sea of information when trying to make smart decisions about cybersecurity. Standards, vendors, frameworks, compliance scores… navigating all of it felt like piecing together a giant puzzle. People who need to secure their organizations aren’t always cybersecurity specialists – yet they have to sift through hundreds of options to figure out which tools are essential, where their gaps are, and where they should invest next.
Spyros guided me through several references, but one that truly stood out was the AppSec Map – an interactive visualization of application security vendors and projects that showcases the AppSec ecosystem. Navigating it drove home how many options exist and how difficult it is to immediately grasp their real-world impact. But we set out to do better – we designed the DevSecOps Explorer around three core jobs-to-be-done:
- First, show users what tools exist in the market – not just the ones Smithy supports.
- Second, instantly display a user’s security maturity level without forcing them through a long questionnaire.
- Third, advise users on which tools they should add to their arsenal to meaningfully improve their security posture.
Today, the first two goals are already live: users can explore a centralized, vendor-agnostic map of security tools and instantly see their security health. The next step is even more exciting: we’re building an automated recommendation engine. Soon, users will simply input their stack – cloud provider, programming languages, existing tools – and Smithy will intelligently suggest the next best security layers to adopt, all without a single tedious survey.
Smithy’s Implementation
The core UI is a structured flowchart of the DevSecOps lifecycle phases adapted from the OWASP Application Security Wayfinder:
- Process & Culture
- Design & Requirements
- Verification
- Implementation
- Operation
- Policy Gap Evaluation
Users select their own security tools directly on the flowchart. As selections are made, your potential maturity score is instantly recalculated, showing how each added tool moves you along the maturity spectrum.
You can also see at a glance exactly which tools Smithy supports today – so you know whether onboarding with us will cover your stack.
Note: Some domains – such as Operations – require organizational processes and human practices beyond just tools to reach a healthy maturity level. For a full assessment, teams should follow the complete prescribed procedure.
OWASP SAMM & OpenCRE
OWASP SAMM (Software Assurance Maturity Model) is a risk-driven framework for assessing and improving software security practices across five domains: Governance, Design, Implementation, Verification and Operations. Each domain contains specific controls or practices, with three maturity levels each. Teams score themselves based on adoption of activities like secure design, code review, and incident response.
OpenCRE harmonizes multiple standards (ISO 27001, NIST SP 800-53, OWASP Top 10, etc.) into a single catalog of Common Requirements (CREs), making it easy to map diverse tools to unified controls. We used these CREs as middleware to map individual tools to the five SAMM domains. Adding this level of abstraction will enable Smithy to easily integrate other maturity standards in future iterations of the explorer.
Mapping Tools to Controls
We curated a list of 50+ tools covering SAST, DAST, IaC scanning, secret management, container security, runtime protection, and more.
For each tool, we identified which SAMM domains it most directly supports. For example:
- Zaproxy - maps to the CREs covering dynamic application security testing under Verification
- Checkov - maps to the CREs for Implementation by validating Infrastructure-as-Code before deployment
Each tool then contributes weighted points toward its mapped SAMM domains. When set up correctly, a tool unlocks points – missing tools leave “coverage gaps” clearly highlighted.
Flowcharts as a UX Paradigm
Our design philosophy at Smithy centers on workflow-first, bringing in concepts from industry-leading no-code automation platforms like Zapier which lets you connect hundreds of apps and automate workflows through no-code “Zaps”, and Make’s visual scenarios for composing logic-driven processes into cyber security. By leveraging familiar flowchart metaphors, we reduce cognitive load and let users focus on their security workflows, not the UI itself.
In UX design flowcharts help teams map complex processes, identify edge cases, and align stakeholders from the start. Flow diagrams are usually used to capture user journeys and system behaviors. In our case the flowcharts capture the journey of security information rather than user journeys. These clear steps - code → scan results → enriched findings → final vulnerability alerts - enable users to plan and predict the behaviour of the data through the different components while keeping track of what happens at every stage.
Why should you use this?
- Gap Analysis: Quickly spot where your coverage gaps lie by watching how your SAMM score climbs – or stalls – as you add each tool. This will help your team prioritize which security practices to implement next.
- Budget Justification: Build a data-driven business case by quantifying how prospective new tools would raise your SAMM maturity score before you invest in them. Present concrete numbers to stakeholders and get buy-in faster.
- Identify Redundancies: Streamline your security stack by seeing which controls are already covered and uncovering overlapping tools. Eliminate unnecessary licensing costs and reduce operational complexity.
- Learn About New Tools: Our catalog grows all the time. If you’re curious which solutions exist for a particular domain, simply explore DevSecOps Explorer’s supported-tools list – then decide which ones to trial or integrate into your pipeline.
Try it!
Try the DevSecOps Explorer to instantly see the maturity level of your organisation.
Ready to see how Smithy can improve your DevSecOps maturity? Book a live demo with one of our experts now.
Want to run it locally or contribute? Check out our open source project on GitHub.
Have feedback or a tool we missed? Submit it here and let’s make DevSecOps tooling more transparent, data-driven, and effective – together.