NIST Special Publication (SP) 800-204C, Implementation of DevSecOps for a Microservices-based Application with Service Mesh, is now available.
The newest generation of software applications – cloud-native applications – has evolved into a standardized architecture of loosely coupled components called microservices that are supported by an infrastructure for providing application services (e.g., service mesh). In this architecture, the entire set of source code involved in the application environment can be divided into five code types: 1) application code, 2) application services code, 3) infrastructure as code, 4) policy as code, 5) and observability as code. The unique architecture of this application class requires a more agile software life cycle paradigm, and DevSecOps (development, security, and operations) offers faster deployment and updates while integrating security throughout the life cycle.
NIST SP 800-204C provides guidance for the implementation of DevSecOps primitives for a reference platform hosting a cloud-native application with the code types listed above. The guidance also discusses the benefits of this approach for high security assurance and enabling continuous authority to operate (C-ATO).