[Project Description] Software Supply Chain And Devops Security Practices: Implementing A Risk-Based Approach To Devsecops (Draft) – Computer Security Resource Center

[Project Description] Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps (Draft) – Computer Security Resource Center

This is a potential security issue, you are being redirected to https://csrc.nist.gov.
You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (Dot Gov) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Drafts for Public Comment
All Public Drafts
Final Pubs
FIPS
Special Publications (SPs)
NISTIRs
ITL Bulletins
White Papers
Journal Articles
Conference Papers
Books
Security & Privacy
Applications
Technologies
Sectors
Laws & Regulations
Activities & Products
Computer Security Division

Applied Cybersecurity Division

Contact Us
    Documentation     Topics
Date Published: July 21, 2022
Comments Due: August 22, 2022
Email Comments to: devsecops-nist@nist.gov

Karen Scarfone (Scarfone Cybersecurity), Murugiah Souppaya (NIST)

The NCCoE has released this draft Project Description, which begins a process to solicit public comments for the project requirements, scope, and hardware and software components for use in a laboratory environment.
The project will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these practices in proof-of-concept use case scenarios that are each specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide. 
Review the project description and submit comments online on or before August 22, 2022. You can also help shape and contribute to this project by joining the NCCoE’s DevSecOps Community of Interest. Send an email to devsecops-nist@nist.gov detailing your interest. 
We value and welcome your input and look forward to your comments. 
 
 
DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, and deployed, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
DevOps brings together software development and operations to shorten development cycles, allow organizations to be agile, and maintain the pace of innovation while taking advantage of cloud-native technology and practices. Industry and government have fully embraced and are rapidly implementing these practices to develop and deploy software in operational environments, often without a full understanding and consideration of security. Also, most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these components are developed, integrated, and deployed, as well as the practices used to ensure the components’ security. To help improve the security of DevOps practices, the NCCoE is planning a DevSecOps project that will focus initially on developing and documenting an applied risk-based approach and recommendations for secure DevOps and software supply chain practices consistent with the Secure Software Development Framework (SSDF), Cybersecurity Supply Chain Risk Management (C-SCRM), and other NIST, government, and industry guidance. This project will apply these DevSecOps practices in proof-of-concept use case scenarios that will each be specific to a technology, programming language, and industry sector. Both commercial and open source technology will be used to demonstrate the use cases. This project will result in a freely available NIST Cybersecurity Practice Guide.
Assessment, Authorization and Monitoring; System and Communications Protection; System and Information Integrity; System and Services Acquisition
Publication:
Draft Project Description

Supplemental Material:
Project homepage (web)

Document History:
07/21/22: White Paper (Draft)

Security and Privacy
cybersecurity supply chain risk management; risk management
Technologies
cloud & virtualization; software & firmware
Want updates about CSRC and our publications? Subscribe
Webmaster | Contact Us | Our Other Offices

source

Leave a Comment

Leave a Reply

Your email address will not be published.

Shields Up – CISA

IOTW: Hacker allegedly hits both Uber and Rockstar | Cyber Security Hub – Cyber Security Hub

Slack enhances platform security amid rapid expansion and heightened risk – Cybersecurity Dive

Hurrah for Denmark, Top Winner of the 2022 European Cybersecurity Challenge – ENISA