Domain 13: Security Reliability | SRE Maturity Rubric

0-6

Ad-hoc

7-12

Foundational

13-18

Standardized

19-24

Advanced

25-30

Optimized

Scoring Criteria by Level

Level	Criteria
1	Secrets in code; manual cert management; no scanning
2	Basic secrets vault; some cert automation; ad-hoc scans
3	Secrets rotated; cert auto-renewal; regular scanning
4	Zero-trust principles; scanning in CI; short-lived creds
5	Dynamic secrets; continuous compliance; automated remediation

Assessment Questions

#	Question	Max
1	How do you manage secrets?	6
2	How are certificates managed?	6
3	How do you scan for vulnerabilities?	6
4	How often do you rotate credentials?	6
5	How do you handle security incidents?	6

Focus Areas

Secrets: Vault, rotation, no hardcoding
Certs: Auto-renewal, short expiry
Scanning: SAST, DAST, dependency scanning
Zero Trust: Verify explicitly, least privilege

Anti-Patterns (Red Flags)

Secrets in source control
Long-lived credentials
Manual certificate renewals
No vulnerability scanning
Security as afterthought

Evidence Checklist

Secrets vault in use (HashiCorp, AWS SM)
Certificates auto-renew (cert-manager)
Vulnerability scanning in CI/CD
Credential rotation policy documented
Security incident runbook exists

Related Domains

Domain	Relationship
Release Eng	Security gates in CI/CD
DR	Secure backup storage
Documentation	Security runbooks needed

Security as Reliability

Secure systems are reliable systems.