National Institute of Standards and Technology
Secure Software Development, Security, and Operations (DevSecOps) Practices
Go to Project Page
DevSecOps Practices
Executive Summary
1. Introduction
1.1. Background
1.1.1. Development, Security, and Operations (DevSecOps)
1.1.2. The Role of AI in Software Development
1.1.3. The Role of Zero Trust in Software Development
1.2. Audience
1.3. Scope
1.4. Challenges
2. Project Overview
3. Notional Reference Model for DevSecOps for Demonstration of NIST SSDF
3.1. Phases of the Continuous DevSecOps Lifecycle
3.1.1. Plan
3.1.2. Develop
3.1.3. Build
3.1.4. Test
3.1.5. Release
3.1.6. Deploy
3.1.7. Operate
3.2. Continuous Improvements, Security and Monitoring
3.3. Continuous Feedback
3.4. Continuous Integration/Continuous Delivery (CI/CD) Pipeline
3.5. Zero Trust Security
3.6. Artificial Intelligence
4. Example Implementations
4.1. Example Implementation 1 (E1)
4.1.1. Plan
4.1.2. Develop
4.1.3. Build
4.1.4. Test
4.1.5. Release
4.1.6. Deploy
4.1.7. Operate
4.1.8. Continuous Improvements, Security and Monitoring
5. Next Steps
Appendix A List of Acronyms
Appendix B Component Description
Appendix C Collaborators and their Contribution
C.1. AMI
C.1.1. Meridian Firmware Management Service
C.1.2. Meridian Security Services: VMS and SBOM
C.2. Black Duck
C.2.1. Polaris Platform
C.2.2. Black Duck SCA
C.2.3. Black Duck Coverity
C.2.4. Continuous Dynamic
C.2.5. Software Risk Manager (SRM)
C.3. CyberArk Software
C.3.1. CyberArk Privilege Cloud
C.3.2. CyberArk Endpoint Privilege Manager
C.3.3. CyberArk Code Sign Manager
C.3.4. CyberArk Secrets Hub
C.3.5. CyberArk Conjur Cloud
C.3.6. CyberArk Workload Identity
C.3.7. CyberArk Certificate Manager SaaS
C.3.8. CyberArk Certificate Manager (Self-Hosted)
C.4. Dell Technologies
C.5. DigiCert
C.5.1. DigiCert Software Trust Manager
C.6. Endor Labs
C.6.1. Reachability-Based SCA
C.6.2. Endor Code (SAST + Secret Scanning)
C.6.3. Container Scanning
C.6.4. Endor Patches
C.6.5. AI Code Security Review
C.7. GitLab
C.7.1. The GitLab Platform
C.7.2. GitLab Duo (AI)
C.8. Google
C.8.1. Cloud Workstations
C.8.2. Google Cloud Build
C.8.3. Artifact Registry and Artifact Analysis
C.8.4. Binary Authorization
C.8.5. Cloud Deploy
C.8.6. Google Kubernetes Engine
C.8.7. Cloud Run
C.8.8. Security Command Center
C.8.9. deps.dev
C.9. IBM
C.9.1 IBM Cloud and DevSecOps
C.9.2 IBM Cloud Continuous Delivery
C.9.3 IBM Cloud Container Registry and Vulnerability Advisor
C.9.4 IBM Cloud Kubernetes Service and Red Hat OpenShift Services
C.9.5 IBM Cloud Secrets Manager
C.9.6 IBM Cloud Key Protect
C.9.7 IBM Cloud Object Storage (S3‑Compatible)
C.10. Microsoft and GitHub Advanced Security (GHAzDO)
C.10.1. Azure Container Registry (ACR)
C.10.2. Azure DevOps (AzDO)
C.10.3. Azure Entra ID
C.10.4. Azure Key Vault (AKV)
C.10.5. Azure Managed DevOps Pool (MDP)
C.10.6. Azure Privileged Identity Management (PIM)
C.10.7. Azure Sentinel
C.10.8. Bicep and Azure Resource Manager (ARM)
C.10.9. GitHub Advanced Security (GHAS)
C.10.10. GitHub Copilot
C.10.11. IDEs – Visual Studio and Visual Studio Code (VS Code)
C.10.12. Microsoft Defender for Cloud (MDC)
C.10.13. Microsoft SBOM Tool
C.10.14. Notary Project
C.11. NextLabs
C.11.1. NextLabs CloudAz Zero Trust Policy Platform
C.11.2. NextLabs Policy Enforcer
C.11.2.1. Application Enforcer – Externalized Authorization Management & ABAC
C.11.2.2. Data Access Enforcer – Secure Global Data Access
C.11.2.3. SkyDRM – Enterprise Digital Rights Management
C.12. Palo Alto Networks
C.12.1. Cortex Cloud Security Platform
C.13. Sagittal AI
C.13.1. Neo
C.14. Scribe Security
C.14.1. ScribeHub
C.14.2. Heyman
Appendix D Change Log
Secure Software Development, Security, and Operations (DevSecOps) Practices
Index
Index
A
|
B
|
C
|
D
|
F
|
H
|
I
|
L
|
O
|
P
|
R
|
S
|
T
|
U
|
Z
A
Acceptance Test Tool
API Test Tool
Artifact Repository (e.g., Internal and External)
Artifact Signing and Verification Tool
Attestation Signing and Verification Tool
B
Build Tools (e.g., CLI, and Binaries)
C
Certificate Management System
CI/CD Execution, Test and Security Policy Verification Tool
CI/CD Pipeline
Configuration Management System
Container Image Scanner
Credential Management System
Cyber Intelligence, Threat, and Security Metadata Feeds (e.g., OpenSSF, National Vulnerability Database (NVD), Open Source Vulnerabilities (OSV), and Common Vulnerabilities and Exposures (CVE)/ Common Weakness Enumeration (CWE))
D
DAST System
Deployment Management System (e.g., Release Orchestration, Rollback, and Canary)
Developer Tools (e.g., IDE, CLI, and Binaries)
F
Firmware Services
Fuzz Test Tool
H
Hardware Security Module (HSM) (including Software or Virtual HSMs)
I
IaC Scanner
IaC Scripts
IAST System
Integration Test Tool
L
Lint Tool
O
Operations Monitoring System (e.g., Infrastructure Management, Log Management, and Performance Monitoring)
P
Package Management System
Product Management System
Project Management System (e.g., Team Planning, Team Collaboration, and Training)
Provenance Generation and Verification Tool
R
Regression Test Tool
Release Management System
Requirements Management System
Risk Management System
Runtime Signature Verification Tool
S
SAST System
SCA System
SCM System (e.g., Version Control, Commit Hooks, and Branch/Merge Protection)
Secret Scanner
Secrets Management System
Security Monitoring System (e.g., Vulnerability Management, Incident Management, Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR))
Smoke Test Tool
Software Libraries (e.g., Internal and External)
T
Team Collaboration Tools
Threat Modeling System
Ticketing System
U
Unit Test Framework
Z
Zero Trust Security System