The National Institute of Standards and Technology (NIST) released an initial public draft on Aug. 30 on the use of software supply chain security strategies within DevSecOps pipelines, and is seeking public comment on the draft through Oct. 13.
The draft, titled “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines,” looks at “strategies for integrating SSC security assurance measures into CI/CD pipelines. The overall goal is to ensure that the CI/CD pipeline activities that take source code through the build, test, package, and deployment stages are not compromised.”
“[The] document focuses on actionable measures to integrate various building blocks for SSC security assurance into CI/CD pipelines to enhance the preparedness of organizations to address SSC security in the development and deployment of their cloud-native applications,” the draft states.
The draft looks to target a wide swath “of practitioners in the software industry, including site reliability engineers, software engineers, project and product managers, and security architects and engineers” for input on the draft, and how to improve the document.
As cloud technologies become a more prevalent part of the supply chain, the need to protect multiple loosely coupled services becomes an ever-growing concern for cybersecurity experts, NIST said.