Protect the Organization (PO)
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.
PO.2 Implement Roles and Responsibilities
Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.
| Tasks | Tools |
|---|---|
|
PO.2.1:
Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC.Periodically review and maintain the defined roles and responsibilities, updating them as needed. Designate a group of individuals as the code owners for each project, and review the list annually. |
Github CODEOWNERS |
| Gitlab CODEOWNERS |
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
| Tasks | Tools |
|---|---|
|
PO.3.1:
Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. Use software factories and/or software templates to standardize the toolchain. |
Backstage Software Templates
Can scaffold projects with pipelines-as-code and toolchains-as-code |
|
Konflux-ci software factory for Tekton
Implements the In-toto framework using pipelines-as-code |
|
|
CDF CDEvents
CDEvents is a common specification for Continuous Delivery events, enabling interoperability in the complete software production ecosystem. |
|
|
PO.3.2:
Follow recommended security practices to deploy, operate, and maintain tools and toolchains. Use code-based configuration for toolchains (e.g., pipelines-as-code, toolchains-as-code). |
Jenkins Jenkinsfile |
| Github Actions .github/workflows directory | |
| Gitlab CI/CD .gitlab-ci.yml file | |
| Spinnaker Dinghy | |
| Argo CD | |
| Tekton pipelines-as-code | |
| OpenTofu | |
|
PO.3.2:
Follow recommended security practices to deploy, operate, and maintain tools and toolchains. Implement the technologies and processes needed for reproducible builds. |
Hermetic builds with Konflux-ci |
Python
|
|
Javascript
|
|
| Java/Kotlin/Groovy | |
| C#/.NET | |
| C++ | |
| Rust | |
| Golang | |
| PHP Composer | |
| SLSA Framework | |
|
PO.3.3:
Configure tools to generate artifacts of their support of secure software development practices as defined by the organization. Use existing tooling (e.g., workflow tracking, issue tracking, value stream mapping) to create an audit trail of the secure development-related actions that are performed for continuous improvement purposes. Record security check approvals, rejections, and exception requests as part of the workflow and tracking system. |
Github Issues |
| Gitlab work tracking | |
| Bugzilla | |
| Redmine | |
| Mantis Bug Tracker | |
| Trac | |
| In-toto framework |
PO.4 Define and Use Criteria for Software Security Checks
Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.
| Tasks | Tools |
|---|---|
|
PO.4.1:
Define criteria for software security checks and track throughout the SDLC. Add software security criteria to existing checks (e.g., the Definition of Done in agile SDLC methodologies). |
Github Issue Templates |
| Gitlab Description Templates | |
|
PO.4.2:
Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. Collect audit logs for code repositories. |
GitHub |
| GitLab Audit Logs | |
|
PO.4.2:
Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. Only allow authorized personnel to access the gathered information, and prevent any alteration or deletion of the information. Carefully manage the list of repository owners and organization owners who have the ability to view audit logs, delete organizations, and delete code repositories, and review the list annually. |
GitHub |
| GitHub |
PO.5 Implement and Maintain Secure Environments for Software Development
Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.
| Tasks | Tools |
|---|---|
|
PO.5.1:
Separate and protect each environment involved in software development. Require multifactor authentication, SSH keys, signed commits, and code change approvals for code repositories at the organization level. |
GitHub Organization Settings |
| GitLab |
Note: Securely configure code repository and CI/CD servers - This is a complex topic, beyond the scope of this document. Securely configure development endpoints (i.e. developer laptops) - This is a complex topic, beyond the scope of this document.