Produce Well-Secured Software (PW)

PW.1.1: Use forms of risk modeling, such as threat modeling, attack modeling, or attack surface mapping to help assess the security risk for the software.

PW.1.2: Track and maintain the software’s security requirements, risks, and design decisions.

PW.1.3: Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services.

Prevents insecure code from being packaged and deployed.

Ensures that deployed artifacts align with secure baseline configurations

Enforces approved component lists and security baselines before deployment.

Generates SBOMs for deployed applications for ongoing monitoring.

Enforces approved component lists and security baselines before deployment.

Focused vulnerability scanning for deployed artifacts.

Guarantees that build artifacts match the security-approved design exactly, with no drift or environmental differences.

Ensures that all deployed artifacts are built from a traceable, verifiable environment that aligns with design security baselines.

Enforces secure build rules, prevents unauthorized changes, and produces identical outputs across build agents.

Strengthens supply chain security by detecting unauthorized modifications between source and deployment.

Implements secure design principles like minimal attack surface and verified dependency selection.

Ensures artifacts come from a trusted, verified build process and haven’t been altered.

Provides cryptographic assurance that deployed artifacts are authentic and untampered.

Enforces integrity and accountability across the entire build-to-deploy pipeline.

Protects the integrity of deployment and update distribution channels.

Generate and manage keys for signing build artifacts. Implement TLS/SSL for secure communication between build agents and artifact repositories.

Sign source code, commits, and build outputs and verify signatures before deploying artifacts.

Embed cryptographic signing and verification into Java/.NET build pipelines.

Validate that deployment environments meet hardware-based integrity requirements before deployment.

Publish cryptographic attestations of build provenance or deployment approvals and provide a decentralized, tamper-proof audit log of artifact trust data.

Enforce secure deployment design policies (e.g., approved base images, disallowed configurations).

Enforce security design requirements at build time (e.g., dependency approval, CVE thresholds). Apply consistent policy enforcement from build pipelines to runtime.

Ensure that deployed workloads meet security requirements for mutual authentication and zero trust and bind workload identity to build-time provenance for deployment integrity.

Embeds threat models into CI/CD, ensuring security requirements are tied to architectural components before build. (Meets PW.1.1 and PW.1.2)

Helps to refine security requirements around network exposure and asset inventory. (Meets PW.1.1)

Integrates security requirements into system models, which can then be validated in build & deploy. (Meets PW.1.1)

Embeds threat models into CI/CD, ensuring security requirements are tied to architectural components before build. (Meets PW.1.1)

Requirements management tool for defining, tracking, and validating security requirements. Documents security requirements and links them to commits and build outputs.(Meets PW.1.1 and PW.1.2)

Requirements management tool using plain text and version control for traceability. Supports traceability from design through build, ensuring requirements are carried into final artifacts.(Meets PW.1.2)

Open-source compliance and risk management framework tool for tracking RMF (NIST 800-37) controls. Security requirements map to formal compliance controls that can be verified in build & deploy artifacts. (Meets PW1.2)

PW.2.1: Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

Automated design compliance gate in CI/CD

Validates deployment configurations match approved security architecture.

Enforce network segmentation rules, encryption requirements, and secure defaults.

Adds IaC review automation to the build process.

Automated code review for alignment with security design requirements.

Config compliance verification before deploying.

Ensures threat model-driven design requirements are implemented.

Post-build/pre-deploy architecture verification. Detect deviations from intended architecture.

Review Kubernetes manifests for design compliance before deployment.Ensures pod security settings match approved deployment designs.

Automated dependency update PRs with vulnerability alerts. Helps verify dependencies meet security requirements (e.g., no known CVEs, minimum versions).

Open Risk Management Framework tracking tool. Can map design-level security requirements to NIST 800-53 controls and verify those controls are implemented in build configs.

Runs in CI/CD pipelines or as a pre-commit hook to block merges if code violates the approved security or architectural rules before build.

SBOM-driven vulnerability scanner for images/filesystems. Validates that dependencies in the build match security baselines and are free from disallowed components.

Static vulnerability analysis for container images. Confirms final images meet design security requirements before deployment.

IaC scanning and policy enforcement (OPA-based). Enforces approved security design in Terraform, Kubernetes, Docker, and AWS CloudFormation configs before deploy.

Code review and approval workflow tool. Enforces human review against design and security requirements before merge to release branches.

PW.4.1: Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization’s software.

PW.4.2: Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.

PW.4.3: Moved to PW.1.3

PW.4.4: Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

Ensures manifests meet secure baseline defaults before deployment.

Validates default configurations meet security requirements.

Detects and blocks insecure defaults in Terraform, Helm, or CloudFormation before release.

Validates hardened defaults in cloud infrastructure provisioning.

Automated config compliance check during CI/CD.

Automates compliance testing for secure defaults.

Bakes hardened defaults into container or VM images before release.

Pre-deployment validation of secure defaults in manifests.

Ensures deployed OS images meet hardened defaults.

SBOM format for documenting exact components/configurations in final build; helps verify secure defaults are present.

SBOM standard to record all components, licenses, and provenance; can confirm inclusion of hardened dependencies.

Catalog of verified Helm charts, OLM operators, etc.; can enforce use of curated, secure-by-default packages.

Repository manager for storing signed, verified artifacts with access controls.

Host artifacts and enforce policy checks before they’re promoted.

OCI registry with vulnerability scanning, content signing, and policy enforcement for images.

Commit/tag signing in GitLab CE for provenance.

Detects code patterns violating security requirements.

Scans container images, IaC, and configs for insecure defaults.

GitHub App enforcing security policies in repos.

Security maturity model to guide secure default practices.

Application security requirements to verify secure defaults.

Central vulnerability tracking; ensures issues found in builds are fixed before release.

Detects known-vulnerable dependencies in builds.

Self-hosted Git service with signing/policy support.

Git platform with signing, scanning, CI/CD policy integration.

Automated testing to confirm defaults work.

Functional/UI test automation to verify secure settings.

Functional/UI test automation to verify secure settings.

DAST scanner to verify app defaults are not exploitable.

Java test framework for security/functional checks

BDD framework for verifying functional + security requirements.

Image vulnerability scanner for OCI registries.

SBOM-driven vuln scanner for builds and images

Detects insecure code patterns/defaults in Python.

Finds policy-violating patterns in code.

Detects Rails-specific security issues/defaults.

Detects secrets in code (prevents default creds exposure).

Finds secrets in repos/history to avoid insecure defaults.

Detects known-vulnerable dependencies in builds.>

Automates license/security checks; blocks noncompliant components.

License/dependency scanning; ensures compliance with default policies.

Detects license, copyright, and security metadata in artifacts.

Container image inspection for dependency/component details.

Policy-as-code for build & deploy; blocks insecure defaults in configs/manifests.

PW.5.1: Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.

Acts as the central trusted artifact repository.

Acts as the central trusted artifact repository.

Acts as the central trusted artifact repository.

Ensures repository contents are authentic and tamper-free.

Ensures stored artifacts meet vulnerability requirements before deployment

Enforces provenance checks at repository ingestion.

Protects against repository and update tampering.

Controls supply chain intake and internal artifact storage.

Ties repository artifacts back to secure build pipelines.

Runs as part of the CI pipeline to automatically scan code for security flaws, policy violations, and unsafe patterns before artifacts are built. Supports rule-as-code to enforce secure build policies.

Python-focused static analyzer that checks for insecure functions, weak crypto, and common security issues before packaging or deployment.

Legacy Java static analysis; can be used to flag known insecure code patterns before build. Superseded by SpotBugs.

Modern replacement for FindBugs. Java bytecode scanner to enforce safe code practices before compiling final artifacts.

Comprehensive SAST platform; can be integrated in CI/CD to enforce quality gates, stopping builds that fail security rules.

Runs against built/staged applications in pre-deployment environments to detect exploitable vulnerabilities, ensuring no insecure version is promoted.

Web application vulnerability scanner that can be part of a build’s QA stage to ensure secure release readiness.

Scans for known-vulnerable dependencies in the build, blocking insecure versions from being deployed.

PW.6.1: Use compiler, interpreter, and build tools that offer features to improve executable security.

PW.6.2: Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

Fast rule-based SAST with CI integration.

General code quality + basic security rules.

Python SAST linters.

Vulnerability scan images/filesystems against SBOMs.

Vulnerability scan images/filesystems against SBOMs.

Generate SBOMs (SPDX/CycloneDX) during build.

Continuous SBOM monitoring and alerting post-build./p>

Block commits/builds that contain secrets; run in CI and as pre-commit hooks.

Provides methods, guidelines, and supporting tools for deterministic builds, ensuring integrity and verifiability of source-to-binary outputs.

Build system with hermetic (sandboxed) execution and explicit dependency tracking, preventing hidden or unverified dependencies.

High-speed, deterministic build system that supports reproducibility and strict configuration-as-code.

Enforces controlled dependency resolution and supports reproducible builds for Java and JVM-based projects.

Creates reproducible, controlled build environments for embedded Linux images, preventing environmental drift.

Uses prebuilt toolchains and sandboxed environments for secure, reproducible Android builds.

PW.7.1: Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.

PW.7.2: Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

Runs automatically in CI before building deployment artifact.

Integrates with CI/CD to enforce clean code before release

Detect SQL injection, XSS, or unsafe deserialization patterns in codebase.

Protects against secret leakage in deployed artifacts

Require two reviewers for any code changes in security-critical modules.

Provides verifiable audit trail for security review completion.

Provides verifiable audit trail for security review completion.

Continuously scans dependencies in each build for new CVEs. Can run on every commit or nightly in CI/CD.

Can be automated in CI/CD to re-test staging environments for vulnerabilities as new code is deployed.

Focused on JavaScript libraries; detects newly disclosed vulnerabilities in frontend/back-end packages during builds.

Scans dependencies for vulnerabilities and license issues, integrating with builds to catch new findings.

Runs in CI/CD for Python projects to catch newly introduced security issues.

Detecting Known Vulnerabilities – Compares IaC components and configurations against known security best practices and compliance frameworks (CIS Benchmarks, NIST, PCI-DSS).

Re-scans C/C++ code after every build to ensure no new issues were introduced.

Extension to SpotBugs that catches security flaws in Java bytecode continuously during the build cycle.

Performs continuous security queries on code with each pull request or scheduled scan.

Runs code quality and security rule checks on every commit/build.

Java static analysis integrated into the build pipeline for continuous vulnerability detection.

Automates security-related PR review rules, preventing unsafe code from merging.

PW.8.1: Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.

PW.8.2: Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

Run as a CI step after image build, before push to registry

Confirms that final executable meets vulnerability thresholds.

Feeds SBOM into SCA tools like Dependency-Track for ongoing monitoring

Ensures final artifact matches secure configuration requirements.

Baseline enforcement step before promotion to production.

Pre-release runtime security testing.

Provides verifiable evidence for compliance and audits.

PW.9.1: Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.

PW.9.2: Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.

Automates baseline hardening during image creation.

Produces secure-by-default container images.

CI gate to block insecure defaults from being built/deployed.

Prevents insecure IaC defaults from reaching deployment.

Prevents insecure IaC defaults from reaching deployment.

Produces compliance evidence before artifact promotion.

Ensures only hardened, verified artifacts can be deployed.

Verify hardened defaults match CIS requirements before release.

Policy enforcement for manifests and configs at build time.

Codifies secure defaults as enforceable CI/CD policies.