Protect the Organization (PO)

Protect the Organization (PO) for the Build and Deploy CI/CD Steps

Protect the Organization (PO)

Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.

PO.1 Define Security Requirements for Software Development: Ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization’s policies, business objectives, and risk management strategy) and external sources (e.g., applicable laws and regulations).

To satisfy SSDF PO.1 in a Build and Deploy context using open-source tools, the focus shifts from just defining to:

Enforcing security policies on dependencies, code, and configurations.
Verifying compliance with established security baselines before deployment.
Ensuring artifacts meet DoD, NIST, or organizational security requirements.

Tasks	Tools
P.O.1.1: Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time. PO.1.2 Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.
	Open Policy Agent Enforces security and compliance policies during build and deployment (e.g., blocking deployments if SBOM scan fails).
	Conftest Uses OPA’s Rego language to test Kubernetes manifests, Terraform, and Dockerfiles against predefined security requirements.
	InSpec Tests infrastructure and deployed applications against compliance frameworks (e.g., CIS Benchmarks, NIST 800-53).
	Kyverno Kubernetes-native policy engine to enforce secure configurations at deploy time.
	Checkov Scans Infrastructure-as-Code (IaC) during build to ensure compliance with security requirements before deploy
	Trivy Scans container images, IaC, and SBOMs for vulnerabilities and misconfigurations before deployment.
	Clair Static analysis for container images to ensure they meet security requirements before push to registry.
	Grype Vulnerability scanning for container images and filesystems to validate artifacts against policy before deploy.
	Sigstore Cosign OPA-based admission controller to enforce compliance on Kubernetes clusters before allowing deployment.

PO.2

Implement Roles and Responsibilities: Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.

To satisfy SSDF PO.2 in a Build and Deploy context using open-source tools, the focus shifts to:

Enforcing role-based access control (RBAC) to limit who can trigger builds, approve changes, and deploy.
Providing audit logs and traceability of actions for accountability.
Ensuring code changes and deployments are reviewed by authorized personnel.

Tasks	Tools
PO.2.1: Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed. PO.2.2: Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed PO.2.3: Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development related roles and responsibilities.
	Keycloak Open-source identity and access management for enforcing RBAC in CI/CD pipelines and deployment tools.
	Dex Federated OpenID Connect provider to integrate developer identities into build and deploy systems for role-based access.
	Vault by HashiCorp Securely manages and controls access to secrets based on defined roles during builds and deployments.
	Argo CD GitOps deployment tool with RBAC to control who can sync, approve, or rollback deployments.
	Jenkins with Role Strategy Plugin Adds fine-grained RBAC to Jenkins pipelines, limiting build and deployment actions to authorized roles.
	Tekton Pipelines Kubernetes-native CI/CD with Kubernetes RBAC to control pipeline execution permissions.
	Flux CD GitOps tool enforcing RBAC for deployment workflows and requiring approvals for changes.
	Kubernetes RBAC Built-in access control to restrict who can deploy, modify, or delete workloads.
	Gitea Self-hosted Git service with user roles and repository permissions to enforce approval and review workflows.
	Auditbeat Provides audit logging for build and deploy actions, helping track compliance with assigned responsibilities.

PO.3

Implement Supporting Toolchains: Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.

To satisfy SSDF PO.3 in a Build and Deploy context using open-source tools, the focus shifts to:

Ensuring build and deployment tools are configured securely and kept patched.
Protecting against supply chain attacks targeting the CI/CD pipeline.
Verifying the integrity of tools and artifacts before use.
Controlling and monitoring access to toolchains.

Tasks	Tools
PO.3.1: Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains. PO.3.3: Configure tools to generate artifacts6 of their support of secure software development practices as defined by the organization.
	Sigstore Cosign Signs and verifies build artifacts to prevent deploying tampered software.
	SLSA Framework + slsa-verifier Ensures build provenance and verifies the integrity of artifacts before deploy.
	Gitleaks Scans repos and build pipelines for secrets before build execution.
	Argo CD GitOps deployment tool with RBAC to control who can sync, approve, or rollback deployments.
	Trivy Scans CI/CD tool containers and dependencies for vulnerabilities.
	Syft Generates SBOMs for build artifacts to track components used in the toolchain.
	Clair Analyzes container images used in builds/deploys for vulnerabilities.
	Vault by HashiCorp Protects secrets used by build/deploy tools, ensuring they’re not exposed in pipelines.
	DefectDojo Centralizes and tracks security testing results for build and deploy toolchains.
	Open Policy Agent (OPA) agent.org/ Enforces security rules on CI/CD and deployment workflows to prevent unsafe actions
	Auditbeat Monitors and logs CI/CD toolchain activity for integrity and compliance.

PO.4 Define and Use Criteria for Software Security Checks: Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.

To satisfy SSDF PO.4 in a Build and Deploy context using open-source tools, the focus shifts to:

Applying consistent security testing and validation practices before release.
Automating security checks in CI/CD pipelines.
Using standardized processes for verifying, signing, and tracking artifacts.
Integrating security gates so no insecure artifact is deployed.

Tasks	Tools
PO.4.1: Define criteria for software security checks and track throughout the SDLC. PO.4.2: Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.
	OWASP Dependency-Check Automates open-source dependency scanning in builds to enforce consistent vulnerability detection.
	Semgrep Static analysis integrated into builds to ensure consistent code security checks before deploy.
	Bandit (for Python) Python security linting in build pipelines to maintain consistent language-specific checks.
	Trivy Consistent vulnerability and IaC scanning before deployment.
	Grype Maintains consistent vulnerability scanning for all build artifacts.
	InSpec Automates compliance checks before deployment to ensure practices match organizational standards.
	Sigstore Cosign Standardizes artifact signing and verification so only trusted builds are deployed.
	Open Policy Agent (OPA) Enforces organization-wide deployment policies across all environments.
	DefectDojo Centralizes and standardizes vulnerability tracking and remediation workflows across builds.

PO.5 Implement and Maintain Secure Environments for Software Development: Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.

To satisfy SSDF PO.5 in a Build and Deploy context using open-source tools, the focus shifts to:

Protecting CI/CD infrastructure from internal and external threats.
Hardening build servers, container registries, and deployment systems.
Ensuring build and deploy environments are patched, monitored, and access-controlled.
Preventing malicious code or tampering in the software supply chain.

Tasks	Tools
PO.5.1: PO.5.1: Separate and protect each environment involved in software development. PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.
	Jenkins Configuration as Code + Role Strategy Plugin Secures Jenkins build servers with codified configs and RBAC to limit access to critical build jobs.
	Tekton Pipelines GitOps deployment with RBAC and signed commit enforcement for production deploys.
	Argo CD GitOps deployment with RBAC and signed commit enforcement for production deploys.
	Vault by HashiCorp Protects secrets in build and deploy environments, preventing leakage in pipelines
	Sigstore Cosign Signs build artifacts and verifies them before deployment to ensure no tampering occurred.
	In-toto Provides end-to-end software supply chain security, ensuring each step in build/deploy is signed and verified.
	Inspec Runs ongoing compliance scans against development and build servers; enforce CIS/NIST benchmarks.
	SLSA + slsa-verifier Verifies build provenance, ensuring artifacts come from a trusted, uncompromised build environment.
	Trivy Scans build/deploy infrastructure containers and images for vulnerabilities and misconfigurations.
	Falco Runtime security for build and deploy environments to detect malicious behavior or unauthorized activity.
	Auditbeat Monitors build and deploy servers for file integrity changes, unauthorized access, and security events
	Kyverno Enforces Kubernetes security policies in deployment environments (e.g., no privileged pods).