Produce Well-Secured Software (PW)

PW.4.1 Acquire and Maintain Well-secured Software

Ensure safe use of components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization’s software. Implement a Software Bill of Materials (SBOM) scan to obtain provenance information for each software component. Establish one or more software repositories to host sanctioned and vetted open-source components.

Open-Source Tools to Achieve:

SBOM Generation and Attestation Tools:

• CycloneDX
• SPDX

Binary Repositories:

• ArtifactHub
• JFrog Artifactory OSS
• Sonatype Nexus OSS
• Harbor

Git Commit Signing:

• GitHub Signing
• GitLab Signing
• Bit Bucket

Repo Security Scanning

• GitHub CodeQL
• AquaSec Trivy
• Dependabot
• FrogBot
• Allstar

PW.7 Review and/or Analyze Human-Readable Code

Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.

Open-Source Tools to Achieve:

• OWASP Dependency-Check
• Dependency-Track
• OWASP ZAP
• SonarQube
• Retire.js
• Fossa
• Veracode
• SonarQube
• Semgrep
• Bandit for Python
• Checkmarx KICS
• Cppcheck for C##
• FindSecBugs