"- DevSecOps culture is lacking if manual processes are tolerated when such
processes can and should be automated (e.g. automated testing, continuous
integration, continuous delivery)."

It also provides a set of questions to ask development teams and management: "-
Who are your users and how are you interacting with them?

• What is your (current and future) cycle time for releases to your users?"

"- What are your management metrics for development and operations; how are they
used to inform priorities, detect problems; how often are they accessed and used
by leadership?

• Who are the users that you deliver value to each sprint cycle? Can we talk to
  them?"

"- Is feedback from users turned into concrete work items for sprint teams on
timelines shorter than one month?"

It even has a nice flowchart on how to detect #agile bullshit: