NIST discovers DevSecOps, thinks world should really check this out

The National Institute of Standards and Technology (NIST) and a consortium including NIST's own National Cybersecurity Center of Excellence and a group of industry partners, teamed up to release a draft framework on Wednesday to get organizations, public and private, to implement the practice. 

The document, a high-level overview of what NIST hopes to achieve, reads in portions like a DevSecOps evangelical broadsheet, and in others, seems to simply be scolding folks for not doing a better job of adopting NIST's Secure Software Development Framework (SSDF). This is not a new problem, as the Office of Management and Budget already pushed back its SSDF attestation deadline once under the Biden administration.

For those unfamiliar with DevSecOps, just think of it as your standard DevOps model, but instead of just integrating developers and operations teams, security is part of the mix from the very beginning. The end result, at least in theory, is a software product that incorporates necessary security features from the beginning, not as an afterthought. 

Complementing a DevSecOps approach is NIST's SSDF, which outlines a number of best practices for secure software development. NIST even notes on the SSDF's webpage that illustrating how to apply the SSDF to DevSecOps is a planned project for it. Based on Wednesday's announcement, it would seem that the project is up and running. 

NIST stated that the consortium's goal is to "develop guidelines that demonstrate the implementation of best practices based on NIST's [SSDF]," and it's turning to the private sector to get ideas on how to connect those practices with DevSecOps. There are 14 vendors collaborating with NIST on the project, including Google, Microsoft, Dell, and GitLab. 

"The SSDF looks at building software holistically, helping organizations figure out what needs to be done to make their development environment more secure," Alper Kerman, a cybersecurity engineer with the group and one of the publication's authors, said in the Institute's press release. 

A big portion of what NIST is doing with these draft guidelines, he noted, is figuring out how to simplify good software design practices with DevSecOps alongside things like off-the-shelf software and new AI capabilities, as well as zero-trust design principles. 

The idea is to help companies construct software development environments where people can work securely. That includes controlling access just as much as ensuring that everything entering the environment is safely written to eliminate the risk of software supply chain vulnerabilities. 

NIST sees a big role for AI in this project, naturally, but not one devoid of oversight. 

"The use of AI technology in software development not only improves the work efficiency but also could bring higher quality software in a more timely manner," the draft DevSecOps framework reads. "Software development teams still need to ensure AI-generated content is monitored and validated by a human and that verifiable processes are in place to ensure its accuracy and trust." 

Defining responsible use of AI tools in DevSecOps is a big part of the project, in other words. Zero-trust security will also play a big role, with NIST noting that the project would explore how to best incorporate zero-trust practices through the entire development process and environment, hopefully without making it a massive point of friction for already busy developers. 

A workshop on the project is being held on August 27 to solicit feedback. NIST will use what it learns at the meeting to build a more complete outline, which it said it would continue to update based on feedback throughout the project, an end date for which wasn't specified.

NIST drafting guide on how to implement DevSecOps in 2025

The National Institute of Standards and Technology (NIST) and a consortium of industry partners have released a draft framework to help organizations implement DevSecOps, integrating security into software development from the start. The guide emphasizes AI, zero-trust security, and collaboration with vendors like Google, Microsoft, and Dell. A workshop is scheduled to gather feedback on the framework.