National Institute of Standards and Technology
Secure Software Development, Security, and Operations (DevSecOps) Practices
Go to Project Page
DevSecOps Practices
Executive Summary
1. Introduction
1.1. Background
1.1.1. Development, Security, and Operations (DevSecOps)
1.1.2. The Role of AI in Software Development
1.1.3. The Role of Zero Trust in Software Development
1.2. Audience
1.3. Scope
1.4. Challenges
2. Project Overview
3. Notional Reference Model for DevSecOps for Demonstration of NIST SSDF
3.1. Phases of the Continuous DevSecOps Lifecycle
3.1.1. Plan
3.1.2. Develop
3.1.3. Build
3.1.4. Test
3.1.5. Release
3.1.6. Deploy
3.1.7. Operate
3.2. Continuous Improvements, Security and Monitoring
3.3. Continuous Feedback
3.4. Continuous Integration/Continuous Delivery (CI/CD) Pipeline
3.5. Zero Trust Security
3.6. Artificial Intelligence
4. Example Implementations
4.1. Example Implementation 1 (E1)
4.1.1. Plan
4.1.2. Develop
4.1.3. Build
4.1.4. Test
4.1.5. Release
4.1.6. Deploy
4.1.7. Operate
4.1.8. Continuous Improvements, Security and Monitoring
5. Next Steps
Appendix A List of Acronyms
Appendix B Component Description
Appendix C Collaborators and their Contribution
C.1. AMI
C.1.1. Meridian Firmware Management Service
C.1.2. Meridian Security Services: VMS and SBOM
C.2. Black Duck
C.2.1. Polaris Platform
C.2.2. Black Duck SCA
C.2.3. Black Duck Coverity
C.2.4. Continuous Dynamic
C.2.5. Software Risk Manager (SRM)
C.3. CyberArk Software
C.3.1. CyberArk Privilege Cloud
C.3.2. CyberArk Endpoint Privilege Manager
C.3.3. CyberArk Code Sign Manager
C.3.4. CyberArk Secrets Hub
C.3.5. CyberArk Conjur Cloud
C.3.6. CyberArk Workload Identity
C.3.7. CyberArk Certificate Manager SaaS
C.3.8. CyberArk Certificate Manager (Self-Hosted)
C.4. Dell Technologies
C.5. DigiCert
C.5.1. DigiCert Software Trust Manager
C.6. Endor Labs
C.6.1. Reachability-Based SCA
C.6.2. Endor Code (SAST + Secret Scanning)
C.6.3. Container Scanning
C.6.4. Endor Patches
C.6.5. AI Code Security Review
C.7. GitLab
C.7.1. The GitLab Platform
C.7.2. GitLab Duo (AI)
C.8. Google
C.8.1. Cloud Workstations
C.8.2. Google Cloud Build
C.8.3. Artifact Registry and Artifact Analysis
C.8.4. Binary Authorization
C.8.5. Cloud Deploy
C.8.6. Google Kubernetes Engine
C.8.7. Cloud Run
C.8.8. Security Command Center
C.8.9. deps.dev
C.9. IBM
C.9.1 IBM Cloud and DevSecOps
C.9.2 IBM Cloud Continuous Delivery
C.9.3 IBM Cloud Container Registry and Vulnerability Advisor
C.9.4 IBM Cloud Kubernetes Service and Red Hat OpenShift Services
C.9.5 IBM Cloud Secrets Manager
C.9.6 IBM Cloud Key Protect
C.9.7 IBM Cloud Object Storage (S3‑Compatible)
C.10. Microsoft and GitHub Advanced Security (GHAzDO)
C.10.1. Azure Container Registry (ACR)
C.10.2. Azure DevOps (AzDO)
C.10.3. Azure Entra ID
C.10.4. Azure Key Vault (AKV)
C.10.5. Azure Managed DevOps Pool (MDP)
C.10.6. Azure Privileged Identity Management (PIM)
C.10.7. Azure Sentinel
C.10.8. Bicep and Azure Resource Manager (ARM)
C.10.9. GitHub Advanced Security (GHAS)
C.10.10. GitHub Copilot
C.10.11. IDEs – Visual Studio and Visual Studio Code (VS Code)
C.10.12. Microsoft Defender for Cloud (MDC)
C.10.13. Microsoft SBOM Tool
C.10.14. Notary Project
C.11. NextLabs
C.11.1. NextLabs CloudAz Zero Trust Policy Platform
C.11.2. NextLabs Policy Enforcer
C.11.2.1. Application Enforcer – Externalized Authorization Management & ABAC
C.11.2.2. Data Access Enforcer – Secure Global Data Access
C.11.2.3. SkyDRM – Enterprise Digital Rights Management
C.12. Palo Alto Networks
C.12.1. Cortex Cloud Security Platform
C.13. Sagittal AI
C.13.1. Neo
C.14. Scribe Security
C.14.1. ScribeHub
C.14.2. Heyman
Appendix D Change Log
Secure Software Development, Security, and Operations (DevSecOps) Practices
Search
Please activate JavaScript to enable the search functionality.