We welcome any initiative that brings DevSecOps practices to the forefront, so it is great to see that NIST is truly unifying these efforts so that DecSecOps becomes a standard for federal agencies.
DevSecOps as a framework is currently being considered by NIST as a means of standardising the embedding of security controls at the beginning of the SDLC.
This goes in line with what many in the industry have been noting. Recently, Jason Green from Sonatype pointed out that “the Time is Now for DevSecOps in the Federal Government”. Ron Ross is actively leading the project at NIST’s to develop a DevSecOps framework similar to its Cybersecurity Framework.
“We have to change the fidelity of the process of developing devices from the very start”, Ross said at an Advanced Technology Academic Research Center conference on March 10.
As originally posted by Fedscoop, NIST is “currently gathering information on products developed using DevSecOps, an organizational philosophy that combines agile software development, security testing and tools for rapid delivery of applications and services”.
This is a promising step towards standardising secure software practices and we’ll be following NIST’s development in this area closely.
Sign up to our community version and start threat modeling today! If you would like to see a full demo of IriusRisk you can download our Secure Design Webinar for free, or alternatively, if you would like to talk to our team for a custom demo of IriusRisk get in touch.