The National Institute of Standards and Technology (NIST) will host a virtual workshop on DevSecOps on Monday, September 19, 2022 at the National Cybersecurity Center of Excellence (NCCoE). DevOps brings together software development and operations, shortening development cycles, making organizations more agile, and taking advantage of cloud-native technology and practices. Industry and government are rapidly implementing these practices, but often do so without a full understanding and consideration of security.
To help improve the security of DevOps practices, we have developed a draft description outlining a proposed project on DevSecOps. The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), Section 4e of Executive Order 14028 on Improving the Nation’s Cybersecurity, and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open-source technology will be used to demonstrate the use cases. This workshop and outputs from the NCCoE project will also inform public and private collaborative efforts seeking to improve the security of open-source software.
The workshop will bring together experts from academia, industry, and government to discuss DevSecOps practices that should be considered in the project. The workshop will focus on addressing security as part of all DevOps practices by integrating security practices and automatically generating security and compliance artifacts throughout the process, including software development, builds, packaging, distribution, and deployment. The feedback from this workshop will inform the final NCCoE project description that will be used to solicit participation from the community to produce demonstrations and a freely available NIST Cybersecurity Practice Guide.
Thanks to everyone who participated in the DevSecOps Workshop. We will post the workshop recording and presentations once they are available.
Recording Note: Portions of the event may be recorded and audience Q&A or comments may be captured. The recorded event may be edited and rebroadcast or otherwise made publicly available by NIST. By registering for — or attending — this event, you acknowledge and consent to being recorded.