The National Institute of Standards and Technology (NIST) is working on a DevOps guidance with an emphasis on the inclusion of security into the process.
“The guidance that we’re going to try to produce on DevOps is going to again be trying to normalize this whole new concept of moving security left, and not just having security be the domain of security professionals,” said NIST Fellow Ron Ross, speaking today at the Micro Focus Government Summit.
Ross explained that good software development will help most of the security problems go away, but lingering vulnerabilities are often attributed to processes that the development team should have included in the first place. With a DevSecOps approach, security becomes everybody’s responsibility.
Switching to this mindset will involve organizational culture shifts to break down isolation barriers caused by old approaches to development and operations. “We never really push security deeply into the enterprise operations … DevSecOps, by its very definition, assumes that that’s going to happen as a routine cultural shift. Not that it’s easy, but it needs to happen,” Ross said.
He went on to explain that a DevSecOps approach is especially important as agencies explore new tech. A DevSecOps approach provides full transparency into every layer of an organization’s applications. With emerging tech like artificial intelligence, organizations must be able to build on top of a system knowing that they can trust every later because otherwise it could compromise layers of data underneath. DevSecOps provides the visibility to move forward.