Protect the Organization (PO)
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.
PO.1 Define Security Requirements for Software Development: Ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization’s policies, business objectives, and risk management strategy) and external sources (e.g., applicable laws and regulations).
To satisfy SSDF PO.1 in a Build and Deploy context using open-source tools, the focus shifts from just defining to:
-
Enforcing security policies on dependencies, code, and configurations.
-
Verifying compliance with established security baselines before deployment.
-
Ensuring artifacts meet DoD, NIST, or organizational security requirements.
| Tasks | Tools |
|---|---|
|
P.O.1.1: Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time. PO.1.2 Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time. |
|
|
Open Policy Agent
Enforces security and compliance policies during build and deployment (e.g., blocking deployments if SBOM scan fails). |
|
|
Conftest
Uses OPA’s Rego language to test Kubernetes manifests, Terraform, and Dockerfiles against predefined security requirements. |
|
|
InSpec
Tests infrastructure and deployed applications against compliance frameworks (e.g., CIS Benchmarks, NIST 800-53). |
|
|
Kyverno
Kubernetes-native policy engine to enforce secure configurations at deploy time. |
|
|
Checkov
Scans Infrastructure-as-Code (IaC) during build to ensure compliance with security requirements before deploy |
|
|
Trivy
Scans container images, IaC, and SBOMs for vulnerabilities and misconfigurations before deployment. |
|
|
Clair
Static analysis for container images to ensure they meet security requirements before push to registry. |
|
|
Grype
Vulnerability scanning for container images and filesystems to validate artifacts against policy before deploy. |
|
|
Sigstore Cosign
OPA-based admission controller to enforce compliance on Kubernetes clusters before allowing deployment. |
PO.2
Implement Roles and Responsibilities: Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.
To satisfy SSDF PO.2 in a Build and Deploy context using open-source tools, the focus shifts to:
-
Enforcing role-based access control (RBAC) to limit who can trigger builds, approve changes, and deploy.
-
Providing audit logs and traceability of actions for accountability.
-
Ensuring code changes and deployments are reviewed by authorized personnel.
| Tasks | Tools |
|---|---|
| PO.2.1: Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed. PO.2.2: Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed PO.2.3: Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development related roles and responsibilities. |
|
|
Keycloak
Open-source identity and access management for enforcing RBAC in CI/CD pipelines and deployment tools. |
|
|
Dex
Federated OpenID Connect provider to integrate developer identities into build and deploy systems for role-based access. |
|
|
Vault by HashiCorp
Securely manages and controls access to secrets based on defined roles during builds and deployments. |
|
|
Argo CD
GitOps deployment tool with RBAC to control who can sync, approve, or rollback deployments. |
|
|
Jenkins with Role Strategy Plugin
Adds fine-grained RBAC to Jenkins pipelines, limiting build and deployment actions to authorized roles. |
|
|
Tekton Pipelines
Kubernetes-native CI/CD with Kubernetes RBAC to control pipeline execution permissions. |
|
|
Flux CD
GitOps tool enforcing RBAC for deployment workflows and requiring approvals for changes. |
|
|
Kubernetes RBAC
Built-in access control to restrict who can deploy, modify, or delete workloads. |
|
|
Gitea
Self-hosted Git service with user roles and repository permissions to enforce approval and review workflows. |
|
|
Auditbeat
Provides audit logging for build and deploy actions, helping track compliance with assigned responsibilities. |
PO.3
Implement Supporting Toolchains: Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
To satisfy SSDF PO.3 in a Build and Deploy context using open-source tools, the focus shifts to:
-
Ensuring build and deployment tools are configured securely and kept patched.
-
Protecting against supply chain attacks targeting the CI/CD pipeline.
-
Verifying the integrity of tools and artifacts before use.
-
Controlling and monitoring access to toolchains.
| Tasks | Tools |
|---|---|
| PO.3.1: Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains. PO.3.3: Configure tools to generate artifacts6 of their support of secure software development practices as defined by the organization. |
|
|
Sigstore Cosign
Signs and verifies build artifacts to prevent deploying tampered software. | |
|
SLSA Framework + slsa-verifier
Ensures build provenance and verifies the integrity of artifacts before deploy. |
|
|
Gitleaks
Scans repos and build pipelines for secrets before build execution. |
|
|
Argo CD
GitOps deployment tool with RBAC to control who can sync, approve, or rollback deployments. |
|
|
Trivy
Scans CI/CD tool containers and dependencies for vulnerabilities. |
|
|
Syft
Generates SBOMs for build artifacts to track components used in the toolchain. |
|
|
Clair
Analyzes container images used in builds/deploys for vulnerabilities. |
|
|
Vault by HashiCorp
Protects secrets used by build/deploy tools, ensuring they’re not exposed in pipelines. |
|
|
DefectDojo
Centralizes and tracks security testing results for build and deploy toolchains. |
|
|
Open Policy Agent (OPA)
agent.org/ Enforces security rules on CI/CD and deployment workflows to prevent unsafe actions |
|
|
Auditbeat
Monitors and logs CI/CD toolchain activity for integrity and compliance. |
PO.4 Define and Use Criteria for Software Security Checks: Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.
To satisfy SSDF PO.4 in a Build and Deploy context using open-source tools, the focus shifts to:
-
Applying consistent security testing and validation practices before release.
-
Automating security checks in CI/CD pipelines.
-
Using standardized processes for verifying, signing, and tracking artifacts.
-
Integrating security gates so no insecure artifact is deployed.
| Tasks | Tools |
|---|---|
| PO.4.1: Define criteria for software security checks and track throughout the SDLC. PO.4.2: Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. |
|
|
OWASP Dependency-Check
Automates open-source dependency scanning in builds to enforce consistent vulnerability detection. |
|
|
Semgrep
Static analysis integrated into builds to ensure consistent code security checks before deploy. |
|
|
Bandit (for Python)
Python security linting in build pipelines to maintain consistent language-specific checks. |
|
|
Trivy
Consistent vulnerability and IaC scanning before deployment. |
|
|
Grype
Maintains consistent vulnerability scanning for all build artifacts. |
|
|
InSpec
Automates compliance checks before deployment to ensure practices match organizational standards. |
|
|
Sigstore Cosign
Standardizes artifact signing and verification so only trusted builds are deployed. |
|
|
Open Policy Agent (OPA)
Enforces organization-wide deployment policies across all environments. |
|
|
DefectDojo
Centralizes and standardizes vulnerability tracking and remediation workflows across builds. |
PO.5 Implement and Maintain Secure Environments for Software Development: Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.
To satisfy SSDF PO.5 in a Build and Deploy context using open-source tools, the focus shifts to:
-
Protecting CI/CD infrastructure from internal and external threats.
-
Hardening build servers, container registries, and deployment systems.
-
Ensuring build and deploy environments are patched, monitored, and access-controlled.
-
Preventing malicious code or tampering in the software supply chain.
| Tasks | Tools |
|---|---|
| PO.5.1: PO.5.1: Separate and protect each environment involved in software development. PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach. |
|
|
Jenkins Configuration as Code + Role Strategy Plugin
Secures Jenkins build servers with codified configs and RBAC to limit access to critical build jobs. |
|
|
Tekton Pipelines
GitOps deployment with RBAC and signed commit enforcement for production deploys. |
|
|
Argo CD
GitOps deployment with RBAC and signed commit enforcement for production deploys. |
|
|
Vault by HashiCorp
Protects secrets in build and deploy environments, preventing leakage in pipelines |
|
|
Sigstore Cosign
Signs build artifacts and verifies them before deployment to ensure no tampering occurred. |
|
|
In-toto
Provides end-to-end software supply chain security, ensuring each step in build/deploy is signed and verified. |
|
|
Inspec
Runs ongoing compliance scans against development and build servers; enforce CIS/NIST benchmarks. |
|
|
SLSA + slsa-verifier
Verifies build provenance, ensuring artifacts come from a trusted, uncompromised build environment. |
|
|
Trivy
Scans build/deploy infrastructure containers and images for vulnerabilities and misconfigurations. |
|
|
Falco
Runtime security for build and deploy environments to detect malicious behavior or unauthorized activity. |
|
|
Auditbeat
Monitors build and deploy servers for file integrity changes, unauthorized access, and security events |
|
|
Kyverno
Enforces Kubernetes security policies in deployment environments (e.g., no privileged pods). |