World should seriously consider DevSecOps, a security-focused approach to software development, as acknowledged by NIST.

World should seriously consider DevSecOps, a security-focused approach to software development, as acknowledged by NIST.

The National Institute of Standards and Technology (NIST) and a consortium of fourteen leading tech companies, including Google, Microsoft, Dell, and GitLab, have joined forces to develop a draft framework for implementing DevSecOps. The goal of this project is to improve software security throughout all stages of the development lifecycle by embedding security into DevOps practices.

The project aims to enhance collaboration between development, operations, and security teams, maintaining agility while strengthening security measures. It plans to achieve this by adhering to zero-trust principles and incorporating AI capabilities.

The use of AI technology in software development is a significant focus of the project. AI will be employed as an assistive tool, proactively identifying and helping remediate security threats, automating repetitive tasks, and providing actionable insights for continuous security posture improvement.

Zero-trust security will play a significant role in the project, with a focus on incorporating it throughout the development process and environment. This means continuously verifying and enforcing strict access controls within the software supply chain and development environments to reduce risk.

The project builds upon existing NIST guidance such as the Secure Software Development Framework (SSDF). The SSDF outlines best practices for secure software development, helping organizations figure out what needs to be done to make their development environment more secure.

The consortium is turning to the private sector for ideas on how to connect SSDF practices with DevSecOps. They believe that by combining automation, AI, and zero-trust, they can create more resilient, secure software development processes.

NIST plans to update the outline of the project based on feedback received during the workshop and throughout the project. A workshop on the project is being held on August 27 to solicit feedback.

Defining responsible use of AI tools in DevSecOps is a significant part of the project. Software development teams are advised to monitor and validate AI-generated content by humans.

The draft framework emphasizes the importance of adopting NIST's SSDF effectively. It reads like a DevSecOps evangelical broadsheet, scolding organizations for not doing so. The project aims to help construct software development environments that minimize friction for developers while ensuring security.

The end date for the project wasn't specified in the article. NIST was unable to share more information about the project before publication. However, they plan to illustrate how to apply the SSDF to DevSecOps, as noted on the SSDF's webpage.

This approach addresses growing cybersecurity threats targeting software supply chains and DevOps environments by combining automation, AI, and zero-trust to create more resilient, secure software development processes.

1. The project, which incorporates technology like AI, aims to embed cybersecurity practices within DevOps, improving software security across development stages.
2. The consortium is soliciting ideas from the private sector, focusing on connecting open-source practices with DevSecOps, citing potential for greater resilience and security.
3. Alongside DevOps practices, the project emphasizes the importance of data-and-cloud-computing, particularly in ensuring the secure management of personal-finance and business data.
4. To strengthen security measures, the framework advocates for the use of AI as an assistive tool, helping remediate threats, automating tasks, and providing insights for continuous improvement.
5. Adhering to zero-trust principles is essential within the project, enforcing strict access controls, and verifying identities throughout the software supply chain.
6. The project seeks to address growing cybersecurity threats in the finance and business industry by implementing DevSecOps strategies, bolstered by AI and zero-trust principles.
7. Investors and wealth-management firms may benefit from the project's potential to create more secure software development processes and resilient systems, reducing risks associated with data breaches.
8. The project, grounded in NIST's Secure Software Development Framework (SSDF), offers guidance on adopting best-practices for secure software development, helping organizations ensure their development environments are secure.

Read also: