National Institute of Standards and Technology
Secure Software Development, Security, and Operations (DevSecOps) Practices Go to Project Page
  • DevSecOps Practices
  • Executive Summary
  • 1. Introduction
    • 1.1. Background
      • 1.1.1. Development, Security, and Operations (DevSecOps)
      • 1.1.2. The Role of AI in Software Development
      • 1.1.3. The Role of Zero Trust in Software Development
    • 1.2. Audience
    • 1.3. Scope
    • 1.4. Challenges
  • 2. Project Overview
  • 3. Notional Reference Model for DevSecOps for Demonstration of NIST SSDF
    • 3.1. Phases of the Continuous DevSecOps Lifecycle
      • 3.1.1. Plan
      • 3.1.2. Develop
      • 3.1.3. Build
      • 3.1.4. Test
      • 3.1.5. Release
      • 3.1.6. Deploy
      • 3.1.7. Operate
    • 3.2. Continuous Improvements, Security and Monitoring
    • 3.3. Continuous Feedback
    • 3.4. Continuous Integration/Continuous Delivery (CI/CD) Pipeline
    • 3.5. Zero Trust Security
    • 3.6. Artificial Intelligence
  • 4. Example Implementations
    • 4.1. Example Implementation 1 (E1)
      • 4.1.1. Plan
      • 4.1.2. Develop
      • 4.1.3. Build
      • 4.1.4. Test
      • 4.1.5. Release
      • 4.1.6. Deploy
      • 4.1.7. Operate
      • 4.1.8. Continuous Improvements, Security and Monitoring
  • 5. Next Steps
  • Appendix A List of Acronyms
  • Appendix B Component Description
  • Appendix C Collaborators and their Contribution
    • C.1. AMI
      • C.1.1. Meridian Firmware Management Service
      • C.1.2. Meridian Security Services: VMS and SBOM
    • C.2. Black Duck
      • C.2.1. Polaris Platform
      • C.2.2. Black Duck SCA
      • C.2.3. Black Duck Coverity
      • C.2.4. Continuous Dynamic
      • C.2.5. Software Risk Manager (SRM)
    • C.3. CyberArk Software
      • C.3.1. CyberArk Privilege Cloud
      • C.3.2. CyberArk Endpoint Privilege Manager
      • C.3.3. CyberArk Code Sign Manager
      • C.3.4. CyberArk Secrets Hub
      • C.3.5. CyberArk Conjur Cloud
      • C.3.6. CyberArk Workload Identity
      • C.3.7. CyberArk Certificate Manager SaaS
      • C.3.8. CyberArk Certificate Manager (Self-Hosted)
    • C.4. Dell Technologies
    • C.5. DigiCert
      • C.5.1. DigiCert Software Trust Manager
    • C.6. Endor Labs
      • C.6.1. Reachability-Based SCA
      • C.6.2. Endor Code (SAST + Secret Scanning)
      • C.6.3. Container Scanning
      • C.6.4. Endor Patches
      • C.6.5. AI Code Security Review
    • C.7. GitLab
      • C.7.1. The GitLab Platform
      • C.7.2. GitLab Duo (AI)
    • C.8. Google
      • C.8.1. Cloud Workstations
      • C.8.2. Google Cloud Build
      • C.8.3. Artifact Registry and Artifact Analysis
      • C.8.4. Binary Authorization
      • C.8.5. Cloud Deploy
      • C.8.6. Google Kubernetes Engine
      • C.8.7. Cloud Run
      • C.8.8. Security Command Center
      • C.8.9. deps.dev
    • C.9. IBM
      • C.9.1 IBM Cloud and DevSecOps
      • C.9.2 IBM Cloud Continuous Delivery
      • C.9.3 IBM Cloud Container Registry and Vulnerability Advisor
      • C.9.4 IBM Cloud Kubernetes Service and Red Hat OpenShift Services
      • C.9.5 IBM Cloud Secrets Manager
      • C.9.6 IBM Cloud Key Protect
      • C.9.7 IBM Cloud Object Storage (S3‑Compatible)
    • C.10. Microsoft and GitHub Advanced Security (GHAzDO)
      • C.10.1. Azure Container Registry (ACR)
      • C.10.2. Azure DevOps (AzDO)
      • C.10.3. Azure Entra ID
      • C.10.4. Azure Key Vault (AKV)
      • C.10.5. Azure Managed DevOps Pool (MDP)
      • C.10.6. Azure Privileged Identity Management (PIM)
      • C.10.7. Azure Sentinel
      • C.10.8. Bicep and Azure Resource Manager (ARM)
      • C.10.9. GitHub Advanced Security (GHAS)
      • C.10.10. GitHub Copilot
      • C.10.11. IDEs – Visual Studio and Visual Studio Code (VS Code)
      • C.10.12. Microsoft Defender for Cloud (MDC)
      • C.10.13. Microsoft SBOM Tool
      • C.10.14. Notary Project
    • C.11. NextLabs
      • C.11.1. NextLabs CloudAz Zero Trust Policy Platform
      • C.11.2. NextLabs Policy Enforcer
        • C.11.2.1. Application Enforcer – Externalized Authorization Management & ABAC
        • C.11.2.2. Data Access Enforcer – Secure Global Data Access
        • C.11.2.3. SkyDRM – Enterprise Digital Rights Management
    • C.12. Palo Alto Networks
      • C.12.1. Cortex Cloud Security Platform
    • C.13. Sagittal AI
      • C.13.1. Neo
    • C.14. Scribe Security
      • C.14.1. ScribeHub
      • C.14.2. Heyman
  • Appendix D Change Log
Secure Software Development, Security, and Operations (DevSecOps) Practices
  • Appendix D Change Log
  • View page source

Appendix D Change Log

In March 2026, created the web version with the updates below:

  • Addressed comments received on the PDF version,

  • Added Section 2 - Project Overview,

  • Added Section 3 - Notional Reference Model for DevSecOps for Demonstration of NIST SSDF,

  • Added Section 4.1 - Example Implementation 1 (E1),

  • Added Section 5 - Next Steps,

  • Added Appendix B - Component Description,

  • Added Appendix C - Collaborators and their Contributions.

In July 2025, the PDF version was created that included:

  • Executive Summary,

  • Section 1 - Introduction,

  • Introduction of Section 3 - Notional Reference Model for DevSecOps for Demonstration of NIST SSDF.

Previous

  • Site Privacy
  • Accessibility
  • Privacy Program
  • Copyrights
  • Vulnerability Disclosure
  • No Fear Act Policy
  • FOIA
  • Environmental Policy
  • Scientific Integrity
  • Information Quality Standards
  • Commerce.gov
  • Science.gov
  • USA.gov
  • Vote.gov
National Institute of Standards and Technology logo