---

Secure Software Development, Security, and Operations (DevSecOps) Practices

Secure Software Development, Security, and Operations (DevSecOps) Practices

March 2026

This publication is available free of charge from https://www.nccoe.nist.gov/projects/secure-software-development-security-and-operations-devsecops-practices

Alper Kerman

Michael Ogata

National Institute of Standards and Technology

Parisa Grayeli

Joshua Klosterman

Phillip Millwee

Deanna Stanley

Allen Tan

The MITRE Corporation

William Barker

Dakota Consulting

Sudan Ayanam

Stefano Righi

AMI

Chrissa Constantine

Tim Mackey

Black Duck

Rahul Dubey

James Imanian

CyberArk

Daniel Carroll

Daniel Jackson

Dell Technologies

Dean Coclin

Dave Roche

DigiCert

Matt Brown

Tom Gleason

Endor Labs

Paul Pickhardt

MaryGrace Wajda

GitLab

Isaac Hepworth

Brandon Lum

Google

Philippe Mulet

Harmeet Singh

IBM

Tal De La Rosa

Segu Riluvan

Mark Svancarek

Microsoft

Keng Lim

Sameer Shukla

NextLabs

Chima Onukwuru

Neil Roxburgh

Palo Alto Networks

Jose Palazon

Michael Smith

Sagittal AI

Guy Chernobrov

Daniel Nebenzahl

Scribe Security

National Institute of Standards and Technology

• DevSecOps Practices
• Executive Summary

• 1. Introduction
  • 1.1. Background
    • 1.1.1. Development, Security, and Operations (DevSecOps)
    • 1.1.2. The Role of AI in Software Development
    • 1.1.3. The Role of Zero Trust in Software Development
  • 1.2. Audience
  • 1.3. Scope
  • 1.4. Challenges
• 2. Project Overview
• 3. Notional Reference Model for DevSecOps for Demonstration of NIST SSDF
  • 3.1. Phases of the Continuous DevSecOps Lifecycle
    • 3.1.1. Plan
    • 3.1.2. Develop
    • 3.1.3. Build
    • 3.1.4. Test
    • 3.1.5. Release
    • 3.1.6. Deploy
    • 3.1.7. Operate
  • 3.2. Continuous Improvements, Security and Monitoring
  • 3.3. Continuous Feedback
  • 3.4. Continuous Integration/Continuous Delivery (CI/CD) Pipeline
  • 3.5. Zero Trust Security
  • 3.6. Artificial Intelligence
• 4. Example Implementations
  • 4.1. Example Implementation 1 (E1)
    • 4.1.1. Plan
    • 4.1.2. Develop
    • 4.1.3. Build
    • 4.1.4. Test
    • 4.1.5. Release
    • 4.1.6. Deploy
    • 4.1.7. Operate
    • 4.1.8. Continuous Improvements, Security and Monitoring
• 5. Next Steps

• Appendix A List of Acronyms
• Appendix B Component Description
• Appendix C Collaborators and their Contribution
  • C.1. AMI
    • C.1.1. Meridian Firmware Management Service
    • C.1.2. Meridian Security Services: VMS and SBOM
  • C.2. Black Duck
    • C.2.1. Polaris Platform
    • C.2.2. Black Duck SCA
    • C.2.3. Black Duck Coverity
    • C.2.4. Continuous Dynamic
    • C.2.5. Software Risk Manager (SRM)
  • C.3. CyberArk Software
    • C.3.1. CyberArk Privilege Cloud
    • C.3.2. CyberArk Endpoint Privilege Manager
    • C.3.3. CyberArk Code Sign Manager
    • C.3.4. CyberArk Secrets Hub
    • C.3.5. CyberArk Conjur Cloud
    • C.3.6. CyberArk Workload Identity
    • C.3.7. CyberArk Certificate Manager SaaS
    • C.3.8. CyberArk Certificate Manager (Self-Hosted)
  • C.4. Dell Technologies
  • C.5. DigiCert
    • C.5.1. DigiCert Software Trust Manager
  • C.6. Endor Labs
    • C.6.1. Reachability-Based SCA
    • C.6.2. Endor Code (SAST + Secret Scanning)
    • C.6.3. Container Scanning
    • C.6.4. Endor Patches
    • C.6.5. AI Code Security Review
  • C.7. GitLab
    • C.7.1. The GitLab Platform
    • C.7.2. GitLab Duo (AI)
  • C.8. Google
    • C.8.1. Cloud Workstations
    • C.8.2. Google Cloud Build
    • C.8.3. Artifact Registry and Artifact Analysis
    • C.8.4. Binary Authorization
    • C.8.5. Cloud Deploy
    • C.8.6. Google Kubernetes Engine
    • C.8.7. Cloud Run
    • C.8.8. Security Command Center
    • C.8.9. deps.dev
  • C.9. IBM
    • C.9.1 IBM Cloud and DevSecOps
    • C.9.2 IBM Cloud Continuous Delivery
    • C.9.3 IBM Cloud Container Registry and Vulnerability Advisor
    • C.9.4 IBM Cloud Kubernetes Service and Red Hat OpenShift Services
    • C.9.5 IBM Cloud Secrets Manager
    • C.9.6 IBM Cloud Key Protect
    • C.9.7 IBM Cloud Object Storage (S3‑Compatible)
  • C.10. Microsoft and GitHub Advanced Security (GHAzDO)
    • C.10.1. Azure Container Registry (ACR)
    • C.10.2. Azure DevOps (AzDO)
    • C.10.3. Azure Entra ID
    • C.10.4. Azure Key Vault (AKV)
    • C.10.5. Azure Managed DevOps Pool (MDP)
    • C.10.6. Azure Privileged Identity Management (PIM)
    • C.10.7. Azure Sentinel
    • C.10.8. Bicep and Azure Resource Manager (ARM)
    • C.10.9. GitHub Advanced Security (GHAS)
    • C.10.10. GitHub Copilot
    • C.10.11. IDEs – Visual Studio and Visual Studio Code (VS Code)
    • C.10.12. Microsoft Defender for Cloud (MDC)
    • C.10.13. Microsoft SBOM Tool
    • C.10.14. Notary Project
  • C.11. NextLabs
    • C.11.1. NextLabs CloudAz Zero Trust Policy Platform
    • C.11.2. NextLabs Policy Enforcer
      • C.11.2.1. Application Enforcer – Externalized Authorization Management & ABAC
      • C.11.2.2. Data Access Enforcer – Secure Global Data Access
      • C.11.2.3. SkyDRM – Enterprise Digital Rights Management
  • C.12. Palo Alto Networks
    • C.12.1. Cortex Cloud Security Platform
  • C.13. Sagittal AI
    • C.13.1. Neo
  • C.14. Scribe Security
    • C.14.1. ScribeHub
    • C.14.2. Heyman
• Appendix D Change Log