Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Implementation of DevSecOps for a Microservices-based Application with Service Mesh



Ramaswamy Chandramouli


Cloud-native applications have evolved into a standardized architecture consisting of multiple loosely coupled components called microservices (often typically implemented as containers) that are supported by an infrastructure for providing application services, such as service mesh. Both of these components are usually hosted on a container orchestration and resource management platform. In this architecture, the entire set of source code involved in the application environment can be divided into five code types: 1) application code (which embodies the application logic), 2) application services code (for services such as session establishment, network connection, etc.), 3) infrastructure as code (for provisioning and configuring computing, networking, and storage resources), 4) policy as code (for defining runtime policies such as zero trust expressed as a declarative code), 5) and observability as code (for the continuous monitoring of an application runtime state). Due to security, business competitiveness, and the inherent structure of loosely coupled application components, this class of applications needs a different development, deployment, and runtime paradigm. DevSecOps (consisting of acronyms for Development, Security, and Operations, respectively) has been found to be a facilitating paradigm for these applications with primitives such as continuous integration, continuous delivery, and continuous deployment (CI/CD) pipelines. These pipelines are workflows for taking the developer's source code through various stages, such as building, testing, packaging, deployment, and operations supported by automated tools with feedback mechanisms. The objective of this document is to provide guidance for the implementation of DevSecOps primitives for cloud-native applications with the architecture and code types described above. The benefits of this approach for high security assurance and for enabling continuous authority to operate (C-ATO) are also discussed.
Special Publication (NIST SP) - 204C
Report Number


container orchestration and resource management platform, DevSecOps, CI/CD pipelines, infrastructure as code, policy as code, observability as code, GitOps, workflow models, static AST, dynamic AST, interactive AST, SCA.


Chandramouli, R. (2022), Implementation of DevSecOps for a Microservices-based Application with Service Mesh, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed June 14, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created March 8, 2022, Updated November 29, 2022