PW.1.1: Use forms of risk modeling – such as threat modeling, attack modeling, or attack surface mapping – to help assess the security risk for the software.

PW.1.2: Track and maintain the software’s security requirements, risks, and design decisions.

PW.1.3: Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services.

Used before coding to document system components, data flows, and trust boundaries, then enumerate threats and requirements.

Helps define security requirements by identifying known external dependencies, APIs, or services that code will interact with, which informs threat modeling and secure design.

Helps security teams and developers capture, manage, and trace security requirements from initial design through development, ensuring prebuild security alignment.

Enables “threat modeling as code” in prebuild, so security requirements can be automated and version-controlled alongside application code.

Centralizes and structures security requirements so they are available for threat modeling, design reviews, and early validation.

Useful at the design and planning phase to maintain a structured list of security requirements and link them to test cases, threat models, or code modules, ensuring security is addressed before coding.

In prebuild, it can define the exact RMF-derived security requirements the codebase must meet, including control baselines, and link them to design elements or development tasks.

PW.2.1: Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

Scans project dependencies (direct and transitive) against the National Vulnerability Database (NVD) and other sources to detect known vulnerabilities (CVEs). Helps confirm if a component meets security requirements before inclusion.

Automated dependency monitoring and update tool integrated with GitHub. Detects vulnerable dependencies and creates pull requests to update them, ensuring only secure versions are used.

Manages Risk Management Framework (RMF) compliance artifacts, including NIST 800-53 controls. Can be used to confirm that selected software components meet mandated security control baselines before approval.

JavaScript/TypeScript linter that enforces secure coding standards and flags insecure coding patterns before they reach production. Helps validate that custom code components align with secure coding requirements.

Automated code analysis platform for identifying vulnerabilities and code quality issues in multiple languages. Confirms code components meet security policies before integration.

Open-source vulnerability scanner for container images and file systems. Ensures that containerized components meet vulnerability and compliance requirements before deployment.

Static vulnerability analysis for container images. Integrates into CI/CD to detect vulnerabilities in base images and layered components before they’re promoted.

Comprehensive vulnerability scanner for container images, file systems, and Git repositories. Validates that selected components have no known vulnerabilities or misconfigurations.

Static analysis for Infrastructure as Code (IaC) to detect security misconfigurations (Terraform, Kubernetes, CloudFormation). Ensures that IaC components meet defined security baselines before use.

Policy-as-code scanner for Terraform, Kubernetes, Docker, and other IaC frameworks. Confirms that infrastructure components comply with security and compliance requirements.

Web-based code review tool. While not a vulnerability scanner, it enforces human review and approval workflows that can include security requirement validation checklists before component approval.

PW.4.1: Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization’s software.

PW.4.2: Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.

PW.4.3: Moved to PW.4.4

PW.4.4: Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

Generated during build/prebuild to validate component data against defined acceptance criteria.

Used to verify that all components meet licensing and security requirements before integration.

Ensures only vetted, signed, and policy-compliant packages are sourced for builds.

Acts as a controlled source for components meeting defined security standards.

Prevents use of components that fail security requirements or policy checks.

Enforces rules that only scanned, signed, and policy-compliant images are stored and used in builds.

nforces signed commit policy in merge requests before code is accepted.

Runs in CI to check code against predefined security queries before integration.

Enforces security acceptance criteria (e.g., no critical CVEs) before promoting components.

Creates PRs to meet policy-defined security versions.

Ensures repositories meet defined configuration criteria before allowing merges.

Provides a framework to define security assurance practices and maturity targets. Helps establish criteria for secure development processes, including prebuild checks.

Defines detailed security verification requirements for applications. Can be used as a benchmark for automated and manual prebuild security tests.

Vulnerability management and security test orchestration platform. Centralizes results from scanners and ensures issues are tracked against acceptance criteria.

Scans project dependencies for known vulnerabilities (CVEs) and fails builds if they don’t meet criteria.

VCS that supports commit signing and hooks to enforce prebuild checks (linting, security scans).

Lightweight, self-hosted Git service with repository policy enforcement (e.g., signed commits, review requirements).

Git platform with CI/CD integration for running security checks before merging.

Supports extensions for linting, vulnerability scanning, and code signing enforcement pre-commit.

Java IDE with plugins for static analysis, dependency scanning, and secure coding rule enforcement.

Java IDE with plugins for static analysis, secure coding, and SBOM generation.

Java unit testing framework; can integrate with security test suites.

NET testing framework; supports integration with security validation tests.

Python testing framework; can run security rule-based tests as part of CI.

Automated browser testing tool; can validate secure behavior (e.g., auth flows).

End-to-end browser testing with support for security-focused scenarios.

Dynamic Application Security Testing (DAST) tool for finding security issues in running apps during testing stages.

Testing framework for Java; integrates with security automation.

BDD testing framework; can define security acceptance tests in plain language.

Scans containers, file systems, and repos for vulnerabilities and misconfigurations.

Static vulnerability scanning for container images before deployment.

Vulnerability scanner for containers and filesystems.

Python-specific static analyzer for common security issues.

Multi-language static analysis using custom or predefined security rules.

Rails-specific static analyzer for security vulnerabilities.

Detects hardcoded secrets in Git repositories pre-commit or in CI.

Detects secrets and sensitive information in code history and commits.

Open-source framework for signing software artifacts (commits, containers) using cryptographic proofs.

Scans project dependencies (direct and transitive) for known CVEs using NVD and other sources. Can enforce “no critical/high vulnerabilities” criteria before the build passes.

Ensures that selected components meet license and security criteria before merging into mainline.

Can block merges or builds that violate licensing rules or contain known vulnerabilities.

Ensures licensing criteria are met before components are accepted into the build.

Provides component inventory to validate against predefined acceptance criteria.

Enforces security, compliance, and configuration policies during CI/CD gates before release.

PW.5.1 Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.

egrated into CI to scan changed code and block merges if rules fail; can also run locally for pre-commit checks.

Runs in prebuild to fail pipelines when high-severity issues are found in Python code.

Scans Java code before packaging to find vulnerabilities and bad coding practices.

Integrated into CI to detect Java vulnerabilities pre-release.

Runs in CI to flag security issues before merges; supports quality gates for enforcement.

Can run in test environments before production release to catch runtime security issues.

Runs against staging/test instances before deployment to catch exploitable issues.

Blocks builds that include components with vulnerabilities exceeding severity thresholds.

PW.6.1: Use compiler, interpreter, and build tools that offer features to improve executable security

PW.6.2: Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

Signs and verifies the integrity/authenticity of source code and pre-built dependencies before compiling.

Verifies cryptographic signatures of source tarballs and dependencies before build.

Scans and audits dependencies for licensing and security issues before they are included in a build.

Integrated into CI to detect Java vulnerabilities pre-release.

Analyzes container image layers to identify open-source components and licensing before using as a base for builds.

Detects licenses, copyrights, and packages in source code before build to ensure compliance and security.

Scans source code and container base images for known vulnerabilities before they are included in builds.

Generates SBOMs from source code and dependencies before build to document and verify components.

PW.7.1 Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.

PW.7.2: Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

Scans project dependencies (e.g., Maven, npm, Python) against the NVD for known CVEs before build, enabling early remediation of vulnerable libraries.

Primarily a dynamic application security testing (DAST) tool, but in a pre-build sense, it’s not generally used — can be run against local development builds for early runtime flaw detection. Limited PW.7 pre-build applicability.

Performs SAST and code quality checks for many languages, detecting vulnerabilities, bugs, and code smells before compilation or integration.

Scans JavaScript code and package manifests for known vulnerable libraries before packaging.

Performs dependency scanning for license and vulnerability issues before build. Commercial SaaS version is proprietary.

Lightweight, customizable SAST tool. Uses rules to detect security issues and anti-patterns in source code before build.

Scans Python source for common security issues before build (e.g., insecure function usage, hardcoded passwords).

Static analysis tool for IaC (Terraform, Kubernetes YAML, etc.) to find misconfigurations before deployment.

Static analysis for C/C++ source to catch undefined behavior, memory issues, and common security flaws before compilation.

A plugin for SpotBugs to detect Java-specific security vulnerabilities before build.

Performs deep semantic code analysis using a query language to detect vulnerabilities before build. Excellent for automated SAST in CI pipelines.

Scans Java, Apex, JavaScript, XML, and other code for bugs, unused code, and potential security issues before compilation.

Static analysis for Java bytecode; detects bug patterns and potential vulnerabilities pre-build (when run on compiled class files in CI before packaging).

Automates pull request checks — enforces security/contribution guidelines, prevents insecure patterns from merging into code before build.

PW.8.1: Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.

PW.8.2: Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

SAST engine that scans source code against security rules before build, catching vulnerabilities early.

Static analysis for Python code to find common security issues before packaging.

Security plugin for SpotBugs to detect vulnerabilities in Java/Scala/Groovy code pre-build.

Static analysis for C/C++ to detect security flaws before compilation artifacts are built.

Rule-based static analysis for Java, Apex, JavaScript, and XML for vulnerabilities and coding issues.

General bug and vulnerability detection in Java code before build output.

Semantic code analysis to find vulnerabilities before build.

SCA tool that identifies vulnerable dependencies in manifests before packaging.

Scans JavaScript and Node.js dependencies for known vulnerabilities before release.

SSCA tool for scanning source code dependencies and base images pre-build for CVEs.

Generates SBOMs from source code before build to verify component inventory.

Scans Infrastructure-as-Code files for misconfigurations before deployment.

Searches code and git history for secrets before build.

Searches code and git history for secrets before build.

PW.9.1: Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.

PW.9.2: Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.

Finds misconfigurations and insecure defaults in IaC files before build.

Policy-as-code engine to enforce secure configuration rules in pre-build pipelines.

Validates YAML configuration files, ensuring structure correctness before further security rule checks.