DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security.
NIST held a virtual workshop in January 2021 on improving the security of DevOps practices; you can access the workshop recording and materials here.
Value | NIST Plans | Proposed Applied Risk-Based Approach | Contact Us
DevSecOps helps ensure that security is addressed as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process. This is important for several reasons, including:
- Reduces vulnerabilities, malicious code, and other security issues in released software without slowing down code production and releases
- Mitigates the potential impact of vulnerability exploitation throughout the application lifecycle, including when the code is being developed and when the software is executing on dynamic hosting platforms
- Addresses the root causes of vulnerabilities to prevent recurrences, such as strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms
- Reduces friction between the development, operation, and security teams in order to maintain the speed and agility needed to support the organization’s mission while taking advantage of modern and innovative technology
In general, to advance current and emerging secure software development and operations practices, NIST plans to:
- Conduct foundational research to better understand new and emerging development methodologies, tools, and technologies, and their cybersecurity implications
- Lead the development of, and inform improvements to, international standards and industry practices for secure software development and operations
- Produce practical and actionable guidelines that meaningfully integrate security practices into development methodologies and can be applied by organizations to develop more secure software
- Demonstrate the use of current and emerging secure development frameworks, practices, and tools to address cybersecurity challenges
To help industry and government improve the security of their DevOps practices, NIST has initiated a DevSecOps project. This project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps practices.
NIST’s proposed applied risk-based approach for the DevSecOps project is similar to the one recently used for the Secure Software Development Framework (SSDF) and the NIST Cybersecurity Framework. NIST's approach is intended to help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools as an example of a use case.
There are many existing security guidance and practices publications from NIST and others, but they have not yet been put into the context of DevOps. Industry, standards developing organizations, and government agencies are currently planning and executing work related to DevSecOps. Leveraging those efforts to provide a community-developed set of recommended practices would help enable organizations to maintain the velocity and volume of software delivery in a cloud-native way and take advantage of automated tools as one of the major use cases. Updating affected NIST publications so they reflect DevOps principles would also help organizations to make better use of their recommendations.
NIST would focus its efforts on facilitating communications about DevSecOps among software producers (e.g., commercial-off-the-shelf vendors, government software developers, custom enterprise software developers, open source software developers), operators of the hosting platforms (e.g., enterprise and cloud service providers), and software consumers (e.g., federal government agencies and other organizations).
Principles that NIST would follow include:
- Define DevSecOps concepts so that developers, security professionals, and operations personnel can all understand them
- Select and document the key elements that organizations would need to build successful DevSecOps practices, from changing the organization’s culture to automating security practices into existing development pipelines and toolchains to support the concept of continuous authorization to operate (ATO)
- Provide all organizations with a way to document their current DevSecOps practices and define their future target practices as part of their continuous improvement processes
- Take an approach that would work for
- organizations of all sizes and in any sector
- development for information technology (IT), operational technology (OT), Internet of Things (IoT), etc.
- development of software, services, firmware, and hardware
- Ensure that organizations have flexibility and customizability with the recommended DevSecOps practices, and that the practices do not cause any duplication of effort for organizations with established DevSecOps practices
Proposed initial activities within this DevSecOps project include:
- Create a new NIST Special Publication (SP) on DevSecOps practices that brings together and normalizes content from existing guidance and practices publications
- Update selected NIST publications most closely related to DevSecOps, such as SP 800-190 on application container security
- Initiate a project in the National Cybersecurity Center of Excellence (NCCoE) to apply the DevSecOps practices in proof-of-concept use case scenarios that are each specific to a technology, programming, language, and industry sector. The NCCoE project would use commercial and open source technology to demonstrate the use cases. The use case implementations would follow the principles and recommendations in the draft NIST SP on DevSecOps practices and supporting guidance such as NIST SP 800-190, which would be developed or updated in parallel.
Your comments and suggestions for the DevSecOps project are always welcome. Contact us at firstname.lastname@example.org.