DevSecOps
Contents
Full Title or Meme
Development, Security, Operations is like DevOps, except that a security layer is placed between Development and Operations.
Context
This particular morph of DevOps seems to have originated in the US DoD to solve problems like SolarWinds where Developers can place code directly into operations without a security check first.
- The DoD Repo One was created to enable any development org to create app that could run on Platform One
Supply Chain
There is increasing recognition that DevSecOps should also encompass software supply chain security. Most software today relies on one or more third-party components[1]
Solutions
- DoD Enterprise DevSecOps Initiative (DSOP)
The DSOP is joint effort of the DOD’s Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and interoperable manner.
- SOFTWARE SUPPLY CHAIN AND DEVOPS SECURITY PRACTICES Implementing a Risk-Based Approach to DevSecOps NIST/NCCoE draft 2022-07
DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, and deployed, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open-source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
Continuous Integration/Continuous Delivery
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this cybersecurity information sheet (CSI) to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations DevSecOps. This CSI explains how to integrate security best practices into typical software development and operations (DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments, without regard for the specific tools being adapted, and leverages several forms of government guidance to collect and present proper security and privacy controls to harden CI/CD cloud deployments. As evidenced by increasing compromises over time, software supply chains and CI/CD environments are attractive targets for malicious cyber actors (MCAs).[2]
References
- ↑ J. Boyens et al., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161 Revision 1, Gaithersburg, Md., May 2022, 326 pp. https://doi.org/10.6028/NIST.SP.800-161r1
- ↑ NSA and CISA, Defending Continuous Integration/Continuous Delivery (CI/CD) Environments (2021-06-28) https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF
