DevSecOps

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Development, Security, Operations is like DevOps, except that a security layer if placed between Development and Operations.

Context

This particular morph of DevOps seems to have originated in the US DoD to solve problems like Solar Winds where Developers can place code directly into operations without a security check first.

  • The DoD Repo One was created to enable any development org to create app that could run on Platform One

Supply Chain

There is increasing recognition that DevSecOps should also encompass software supply chain security. Most software today relies on one or more third-party components[1]

Solutions

  • DoD Enterprise DevSecOps Initiative (DSOP)
    The DSOP is joint effort of the DOD’s Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and interoperable manner.
  • SOFTWARE SUPPLY CHAIN AND DEVOPS SECURITY PRACTICES Implementing a Risk-Based Approach to DevSecOps NIST/NCCoE draft 2022-07
    DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, and deployed, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open-source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.

References

  1. J. Boyens et al., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161 Revision 1, Gaithersburg, Md., May 2022, 326 pp. https://doi.org/10.6028/NIST.SP.800-161r1