Watch out, world: The US government has finally found out about DevSecOps, and it has become a late evangelist for the security-by-default software development practice.
The National Institute of Standards and Technology (NIST) and a consortium including NIST's own National Cybersecurity Center of Excellence and a group of industry partners, teamed up to release a draft framework on Wednesday to get organizations, public and private, to implement the practice.
The document [PDF], a high-level overview of what NIST hopes to achieve, reads in portions like a DevSecOps evangelical broadsheet, and in others, seems to simply be scolding folks for not doing a better job of adopting NIST's Secure Software Development Framework (SSDF). This is not a new problem, as the Office of Management and Budget already pushed back its SSDF attestation deadline once under the Biden administration.
For those unfamiliar with DevSecOps, just think of it as your standard DevOps model, but instead of just integrating developers and operations teams, security is part of the mix from the very beginning. The end result, at least in theory, is a software product that incorporates necessary security features from the beginning, not as an afterthought.
Complementing a DevSecOps approach is NIST's SSDF, which outlines a number of best practices for secure software development. NIST even notes on the SSDF's webpage that illustrating how to apply the SSDF to DevSecOps is a planned project for it. Based on Wednesday's announcement, it would seem that the project is up and running.
NIST stated that the consortium's goal is to "develop guidelines that demonstrate the implementation of best practices based on NIST's [SSDF]," and it's turning to the private sector to get ideas on how to connect those practices with DevSecOps. There are 14 vendors collaborating with NIST on the project, including Google, Microsoft, Dell, and GitLab.
"The SSDF looks at building software holistically, helping organizations figure out what needs to be done to make their development environment more secure," Alper Kerman, a cybersecurity engineer with the group and one of the publication's authors, said in the Institute's press release.
Kerman summed up the three-pronged goal of the consortium project quite succinctly in the press statement. A big portion of what NIST is doing with these draft guidelines, he noted, is figuring out how to simplify good software design practices with DevSecOps alongside things like off-the-shelf software and new AI capabilities, as well as zero-trust design principles.
The idea is to help companies construct software development environments where people can work securely. That includes controlling access just as much as ensuring that everything entering the environment is safely written to eliminate the risk of software supply chain vulnerabilities.
NIST sees a big role for AI in this project, naturally, but not one devoid of oversight.
"The use of AI technology in software development not only improves the work efficiency but also could bring higher quality software in [a] more timely manner," the draft DevSecOps framework reads. "Software development teams still need to ensure AI-generated content is monitored and validated by a human and that verifiable processes are in place to ensure its accuracy and trust."
Defining responsible use of AI tools in DevSecOps is a big part of the project, in other words. Zero-trust security will also play a big role, with NIST noting that the project would explore how to best incorporate zero-trust practices through the entire development process and environment, hopefully without making it a massive point of friction for already busy developers.
A workshop on the project is being held on August 27 to solicit feedback. NIST will use what it learns at the meeting to build a more complete outline, which it said it would continue to update based on feedback throughout the project, an end date for which wasn't specified.
We reached out to NIST to learn more about the project, but they were unable to share more information before publication. ®
Pause your Mythos panic because mainstream models anyone can use already pick holes in popular software
Client connects to deepset's Haystack platform
'I think you can run this thing on a potato,' NodeWeaver CTO Alan Conboy said.
Large organizations pushed toward metered pricing
If there's one thing folks want less than Copilot in their taskbar, it's a bit barn in their backyard