Protect the Software (PS)

Protect the Software (PS) Post-Deployment CI/CD Steps

Protect the Software (PS)

Protect the Software (PS): Organizations should protect all components of their software from tampering and unauthorized access.

PS.1

Protect All Forms of Code from Unauthorized Access and Tampering : Help prevent unauthorized changes to code, both inadvertent and intentional, which could circumvent or negate the intended security characteristics of the software. For code that is not intended to be publicly accessible, this helps prevent theft of the software and may make it more difficult or time-consuming for attackers to find vulnerabilities in the software.

To satisfy SSDF PS.1 in a post-deployment context using open-source tools, the focus shifts from just defining to:

Protecting deployed artifacts (binaries, containers, scripts, configs) from being altered in production
Ensuring post-deployment code integrity is verifiable at any time
Maintaining secure storage, transport, and retrieval of code and artifacts
Keeping an audit trail for all modifications and access

Tasks	Tools
PS.1.1: Store all forms of code including source code, executable code, and configuration-as-code based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.	Cosign Sigstore Sign and verify container images, binaries, and other artifacts.
	Rekor Sigstore Immutable public transparency log for signatures and metadata.
	In-Toto End-to-end supply chain verification to ensure deployed artifacts came from trusted sources.
	Gnu Privacy GuardG Sign and verify any file type, including tarballs and configuration files.
	Harbor Container registry with built-in vulnerability scanning, content signing, and RBAC.
	Sonatype Nexus OSS Secure artifact repository with access controls.
	JFrog Artifactory OSS Manages binary repositories with fine-grained permissions.
	Tripwire OSS Monitors filesystem for unauthorized changes.
	AIDE (Advanced Intrusion Detection Environment) Creates a baseline of files and detects alterations.
	Falco Detects suspicious activity in Kubernetes or container environments, including file changes.
	Kubernetes RBAC + OPA Gatekeeper Enforces role-based policies for container image deployment.
	Keycloak Centralized authentication/authorization for artifact registries and CI/CD systems.
	Wazuh SIEM platform that monitors access logs and alerts on anomalies.
	Ortelius Evidence Store Tracks which version of a service is deployed where, and links to its signed SBOM.
	Syft Generates SBOMs for deployed artifacts for later verification.
	OWASP Dependency-Track Monitors components in deployed artifacts against CVE feeds.

PS.2

Provide a Mechanism for Verifying Software Release Integrity: Help software acquirers ensure that the software they acquire is legitimate and has not been tampered with. Make software integrity verification information available to software acquirers.

To satisfy SSDF PS.2 in a post-deployment context using open-source tools, the focus shifts to:

Keeping exact copies of every release artifact (binaries, containers, configs, SBOMs)
Recording and publishing cryptographic verification data (signatures, hashes, attestations)
Ensuring acquirers can confirm that what they have matches the trusted, official release

Tasks	Tools
PS.2.1: Make software integrity verification information available to software acquirers.	Harbor Container registry with image retention policies, RBAC, and content trust.
	Sonatype Nexus OSS Artifact repository for storing binaries and dependencies.
	JFrog Artifactory OSS Binary management with retention and access control.
	GitHub Tag and store release binaries, SBOMs, and checksums.
	Sigstore cosign Sign and verify container images, SBOMs, and other artifacts.
	Sigstore Rekor Immutable transparency log for all signed artifacts and metadata.
	Gnu Privacy Guard Sign and verify tarballs, binaries, or SBOM files.
	In-Toto Provide end-to-end build provenance verification.
	Ortelius Maps deployed services to specific versions and their SBOMs.
	Syft Generates SBOMs from deployed artifacts.
	OWASP Dependency-Track Continuously monitors SBOMs for new CVEs in preserved releases.
	AIDE (Advanced Intrusion Detection Environment) Filesystem integrity checker to detect changes in stored artifacts.
	Tripwire OSS Baseline and monitor stored release directories for modifications.
	Wazuh SIEM that audits artifact repository activity.
	AuditD Linux-level auditing for access to preserved release files.
	Kubernetes RBAC / Keycloak Restrict who can upload or modify artifacts in registries.

PS.3

Archive and Protect Each Software Release: Preserve software releases in order to help identify, analyze, and eliminate vulnerabilities discovered in the software after release.

To satisfy SSDF PS.3 in a post-deployment context using open-source tools, the focus shifts to:

Keeping a tamper-proof record of every software component in each release
Ensuring provenance data remains accessible for audits, investigations, and vulnerability response
Allowing acquirers and downstream users to independently verify the origin and integrity of every component

Tasks	Tools
PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release. PS.3.2: Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).	Syft Generate SBOMs from deployed containers, VMs, or file systems (SPDX & CycloneDX formats).
	Trivy Create SBOMs and scan for vulnerabilities in deployed systems.
	In-Toto Record build steps and supply chain metadata as signed “link” files.
	Cosign Attest Capture build and deployment provenance as signed attestations.
	Gnu Privacy Guard Sign SBOMs and metadata for offline or private distribution.
	Rekor Store signatures and attestations in an immutable, public transparency log.
	Tripwire OSS Detect unauthorized changes in locally stored provenance archives.
	AIDE (Advanced Intrusion Detection Environment) Detect unauthorized changes in locally stored provenance archives.
	Ortelius Evidence Store Version and track deployed services and their SBOMs; link them to environments and releases. API/UI access for sharing SBOM and component history for specific releases.
	Dependency Track Continuously monitor preserved SBOMs for new CVEs.
	Harbor Attach SBOMs and signatures to container images in a registry.
	CycloneDX BOM Portal (OSS) Host and validate SBOMs in a web-accessible interface.