This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Phase 1: Code and Prebuild
Security Compliance for Code and Prebuild
Introduction
Integrating security into every stage of the Software Development Life Cycle (SDLC) is more critical than ever. The code and prebuild stage is foundational to creating secure, reliable, and high-performing applications. Failing to address vulnerabilities early can lead to costly fixes, data breaches, and reputational damage down the line.
This section provides a comprehensive guide to the essential security tools that developers and DevOps teams should use during the code and prebuild phase to ensure vulnerabilities are identified and mitigated before they can cause harm. From Static Application Security Testing (SAST) to dependency scanning and secure CI/CD pipelines, the right tools can help you adopt a proactive approach to software security while maintaining development velocity. Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.
1 - Secure Software Development Framework
Secure Software Development Framework and Code/Prebuild CI/CD Steps
Achieving Code and Prebuild Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Code and Prebuild actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
1.1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
Open-Source Tools to Achieve:
Workflow Framework
1.2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
PS.1.1 Store all forms of code
PS.1.1: Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.
Open-Source Tools to Achieve:
Source Repositories
1.3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
PW.4.1 Acquire and Maintain Well-secured Software
Ensure safe use of components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization’s software. Implement a Software Bill of Materials (SBOM) scan to obtain provenance information for each software component. Establish one or more software repositories to host sanctioned and vetted open-source components.
Open-Source Tools to Achieve:
SBOM Generation and Attestation Tools:
Binary Repositories:
Git Commit Signing:
Repo Security Scanning
PW.7 Review and/or Analyze Human-Readable Code
Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.
Open-Source Tools to Achieve:
1.4 - Respond to Vulnerabilites
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)
Task: Identify and Respond to Vulnerabilities
How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
RV.1 Identify and Confirm Vulnerabilities on an Ongoing Basis
Open-Source Tools to Achieve:
Identify Vulnerabilities
Static Application Security Testing (SAST):
Dynamic Application Security Testing (DAST):
Software Composition Analysis (SCA):
RV.2 Assess, Prioritize, and Remediate Vulnerabilities
RV.3 Identify Root Cause and help to reduce frequency of vulnerabilities in the future