Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, I’m thrilled to welcome a true expert in DevSecOps, Timo Pagel! With over 20 years of experience in security strategy, web development, and DevSecOps architecture, Timo brings a wealth of knowledge to the table. As a freelance consultant and university lecturer, he’s passionate about training the next generation of AppSec professionals while actively contributing to the Open Source community as the leader of the OWASP DevSecOps Maturity Model (DSOMM) project: https://dsomm.owasp.org/ In this episode, Timo and I dive deep into the critical differences between popular maturity models like DSOMM and SAMM, uncover why a one-size-fits-all approach to maturity frameworks often fails, and explore the unique challenges of implementing DSOMM in startups versus large enterprises. Along the way, we tackle controversial topics like the shortcomings of many AppSec tools and whether security teams are being set up for failure by immature solutions. Dive right in!