This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Secure Software Development Framework
Secure Software Development Framework Post Build CI/CD Steps
Achieving Post Deploy Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Post Deploy actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
Open-Source Tools to Achieve:
2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
Post Build Software Bill of Material Tools
DAST
Vulnerability Databases
Continuous Vulnerability Patch Management
Application Security Compliance Reporting
3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
4 - Respond to Vulnerabilities (RV)
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)
Task: Identify and Respond to Vulnerabilities
How to Achieve: Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
Open-Source Tools to Achieve: