Produce Well-Secured Software (PW)
Organizations should produce well-secured software with minimal security vulnerabilities in its releases.
PW.1
Design Software to Meet Security Requirements and Mitigate Security Risks: Identify and evaluate the security requirements for the software; determine what security risks the software is likely to face during operation and how the software’s design and architecture should mitigate those risks; and justify any cases where risk-based analysis indicates that security requirements should be relaxed or waived. Addressing security requirements and risks during software design (secure by design) is key for improving software security and also helps improve development efficiency.
To satisfy SSDF PW.1 in a post-deployment context using open-source tools, the focus shifts to:
-
Keeping a tamper-proof record of every software component in each release
-
Ensuring provenance data remains accessible for audits, investigations, and vulnerability response
-
Allowing acquirers and downstream users to independently verify the origin and integrity of every component
Tasks | Tools |
---|---|
PW.1.1: Use forms of risk modeling, such as threat modeling, attack modeling, or attack surface mapping to help assess the security risk for the software. PW.1.2: Track and maintain the software’s security requirements, risks, and design decisions. PW.1.3: Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services. |
|
Semgrep
Static and Dynamic Analysis that an be run against deployed codebases in staging mirrors to detect insecure patterns. |
|
Wapiti
Web application security scanner for deployed apps. |
|
Zap (Zed Attack Proxy)
Active and passive testing of live apps for vulnerabilities. |
|
Inspec
Validates that deployed applications meet secure coding standards. |
|
Ortelius
10 minute synchronizing to OSV.dev for new vulnerability detection in deployed artifacts. |
|
OpenSCAP
Scans systems for compliance with security coding-related baselines. |
|
Falco
Logging and Monitoring - Detects insecure behavior at runtime (e.g., unsafe system calls). |
|
Wazuh
Monitors application and OS logs for security-related events. |
|
AuditD
Captures low-level system calls related to code execution. |
|
Syft
Generates SBOMs for deployed applications for ongoing monitoring. |
|
OWASP Dependency-Track
Continuously tracks SBOMs for new vulnerabilities |
|
Trivy
Scans deployed containers/filesystems for known CVEs in code and dependencies. |
|
Grype
Focused vulnerability scanning for deployed artifacts. |
PW.2
Review the Software Design to Verify Compliance with Security Requirements and Risk Information:Help ensure that the software will meet the security requirements and satisfactorily address the identified risk information.
To satisfy SSDF PW.2 in a post-deployment context using open-source tools, the focus shifts to:
-
Continuous verification that deployed code (source or binary) hasn’t been tampered with.
-
Ongoing vulnerability assessment of deployed applications and components.
-
Post-release code review triggers when a vulnerability or incident is detected.
-
Auditable evidence that deployed software matches approved, reviewed code.
Tasks | Tools |
---|---|
PW.2.1: Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information. |
|
Sigstore Cosign
Verify deployed containers and binaries were signed at build time. |
|
Rekore
Store verification data and attestations in a tamper-evident log. |
|
In-Toto
Ensure deployed code matches the reviewed build pipeline steps. |
|
Tripwire OSS
Monitor deployed files for unauthorized changes. |
|
Semgrep
Review mirrored deployed code for security issues or policy violations. |
|
GitHub CodeQL
Advanced code queries to detect vulnerability patterns. |
|
Wapiti
Web vulnerability scanning against deployed endpoints. |
|
Ortelius
Track vulnerabilities to live endpoints for quick remediation times. |
|
Zap (Zed Attack Proxy)
Automated and manual DAST testing for live applications. |
|
Nikto
Server-focused vulnerability scanning. |
|
OpenSCAP
Map results to compliance baselines. |
|
DefectDojo
Track vulnerabilities found during post-deployment reviews and link to remediation./p> |
PW.4
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality : Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.
Note: PW.3 moved to PW.4
To satisfy SSDF PW.4 in a post-deployment context using open-source tools, the focus shifts to:
-
Vulnerability detection runs continuously on production or production-equivalent environments.
-
Results are triaged and assigned quickly.
-
There is an automated or semi-automated path to remediation (e.g., patching, image rebuild, or component upgrade).
-
All activity is auditable and linked to release artifacts.
Tasks | Tools |
---|---|
PW.4.1: Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization’s software. PW.4.2: Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components. PW.4.3: Moved to PW.1.3 PW.4.4: Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles. |
|
Git
Stores signed vulnerability reports and patch commit metadata. |
|
Rekore
Logs scan results, remediations, and signatures immutably. |
|
Ortelius
Audit and evidence retention tracks which environments are running which version, enabling targeted redeployment of patched builds. |
|
Trivy
Scans running containers, filesystems, and Kubernetes clusters; also generates SBOMs. |
|
Grype
SBOM-driven vulnerability scanning for images and directories. |
|
Clair
Monitors container registries for vulnerable images. |
|
OpenVAS / Greenbone
Network and host vulnerability scanning. |
|
Syft
Generates SBOMs from deployed environments. |
|
OWASP Dependency-Track
CWatches SBOMs for new CVEs and policy violations. |
|
Vulnix
Nix-based vulnerability scanning from SBOM input. |
|
Kyverno
Kubernetes-native admission controller enforcing vulnerability thresholds. |
|
Falco
Detects runtime anomalies that may indicate exploitation. |
|
Nikto
Server-focused vulnerability scanning. |
|
Keel
Automates container redeployments when a new image is pushed. |
|
Kured
Automated Kubernetes node reboots for kernel patching. |
|
DefectDojo
Centralizes vulnerability data from scanners; assigns remediation tasks and tracks SLAs./p> |
|
The Hive
Incident response and coordination for urgent vulnerability events./p> |
PW.5
Create Source Code by Adhering to Secure Coding Practices: Decrease the number of security vulnerabilities in the software, and reduce costs by minimizing vulnerabilities introduced during source code creation that meet or exceed organization-defined vulnerability severity criteria.
To satisfy SSDF PW.5 in a post-deployment context using open-source tools, the focus shifts to:
-
Ongoing verification of integrity, compliance, and security posture for deployed software.
-
Continuous checks to ensure that the running software still meets the security requirements it had at release.
-
Detecting drift, newly introduced vulnerabilities, and configuration changes.
-
Maintaining verifiable evidence of these checks over time.
Tasks | Tools |
---|---|
PW.5.1: Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements. |
|
Trivy
Ongoing scans of deployed containers, filesystems, and Kubernetes clusters. |
|
Grype
Detect CVEs in deployed SBOMs or images. |
|
Clair
Continuous vulnerability scanning for registry images. |
|
Syft
Generate SBOMs from running systems for ongoing monitoring. |
|
Inspec
Define and run compliance checks (CIS, NIST, org-specific policies) against deployed environments. |
|
OpenSCAP
Evaluate running systems against security baselines. |
|
Kube-bench
Validate Kubernetes deployments against CIS benchmarks. |
|
Kube-hunter
Identify potential attack paths in deployed Kubernetes clusters. |
|
Falco
Detect runtime changes to files, processes, and network behavior. |
|
AIDE
File integrity monitoring to ensure binaries/configs aren’t altered. |
|
osquery
Query system state to detect unauthorized configuration changes. |
|
Open Policy Agent
Enforce continuous compliance policies at runtime. |
|
Kyverno
Kubernetes-native policy engine to prevent insecure updates. |
|
DefectDojo
Centralize verification results and track issues over time./p> |
|
Rekor
Store signed verification reports in a tamper-proof ledger. |
PW.6
Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security: Decrease the number of security vulnerabilities in the software and reduce costs by eliminating vulnerabilities before testing occurs.
To satisfy SSDF PW.6 in a post-deployment context using open-source tools, the focus shifts to:
-
Running scheduled scans on running containers, VMs, and registries; integrate with SBOM monitoring
-
Maintain SBOMs for deployed software; monitor for new CVEs.
-
Score findings (CVSS, EPSS); prioritize fixes based on severity & exploitability.
-
Auto-rebuild/redeploy when patched images are available.
Tasks | Tools |
---|---|
PW.6.1: Use compiler, interpreter, and build tools that offer features to improve executable security. PW.6.2: Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations. |
|
Trivy
Trivy runs weekly scans on all production container images and hosts → results are signed and logged in Rekor. |
|
Syft
Regenerates SBOMs for deployed artifacts, and flags new CVEs. |
|
DefectDojo
CVSS scoring + SLA assignment to owners./p> |
|
Keel
Auto-rebuild/redeploy when patched images are available |
|
Kured
Automated Kubernetes node reboots for kernel patching. |
|
Argo Rollouts
Use canary/staged rollouts for patched versions. |
|
OpenVAS
Run scheduled scans on running containers, VMs, and registries; integrate with SBOM monitoring |
|
Rekor
Store signed records of detection, triage, fix, and verification |
PW.7
Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements: Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human readable.
To satisfy SSDF PW.7 in a post-deployment context using open-source tools, the focus shifts to:
-
Maintain a record showing that the deployed version went through the organization’s required code review and/or automated analysis process.
-
Ensure all emergency/hotfix patches pushed post-deployment are also reviewed or analyzed — even if done after release.
-
Maintain Audit-Ready Evidence
Tasks | Tools |
---|---|
PW.7.1: Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization. PW.7.2: Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system. |
|
Semgrep
Run SAST against the exact code linked to deployed binaries; include dependency scanning |
|
GitHub CodeQL
Re-run code analysis on production mirrors. |
|
DefectDojo
Keeps immutable records of all reviews, approvals, and automated analysis runs |
|
Rekor
Signed commits, protected branch history, scan results. |
PW.8
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements: Help identify vulnerabilities so that they can be corrected before the software is released in order to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities and improves traceability and repeatability. Executable code includes binaries, directly executed bytecode and source code, and any other form of code that an organization deems executable.
To satisfy SSDF PW.8 in a post-deployment context using open-source tools, the focus shifts to:
-
Continuously Test Deployed Executables for Vulnerabilities
-
Verify Compliance with Security Requirements
-
Feed Findings Back into Development
Tasks | Tools |
---|---|
PW.8.1: Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used. PW.8.2: Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system. |
|
Trivy
Scans deployed containers/filesystems for known CVEs in code and dependencies. |
|
Grype
Focused vulnerability scanning for deployed artifacts. |
|
Ortelius
10 minute synchronizing to OSV.dev for new vulnerability detection in deployed artifacts. |
|
OpenVAS / Greenbone
Network and host vulnerability scanning. |
|
Inspec
Map scan results to security standards (NIST, CIS, OWASP ASVS) |
|
OpenSCAP
Compliance scan outputs, baseline profiles, exception docs. |
|
Wapiti
DAST, fuzzing, and runtime monitoring to detect insecure behavior |
|
Zap (Zed Attack Proxy)
DAST/fuzzing reports. |
PW.9
Configure Software to Have Secure Settings by Default: Help improve the security of the software at the time of installation to reduce the likelihood of the software being deployed with weak security settings, putting it at greater risk of compromise.
To satisfy SSDF PW.9 in a post-deployment context using open-source tools, the focus shifts to:
-
Check deployed software and infrastructure against the organization’s secure configuration baseline (e.g., NIST 800-53, CIS Benchmarks, DISA STIGs).
-
Use policy-as-code and configuration management tools to keep deployed systems in compliance.
-
Integrate configuration checks into runtime monitoring
Tasks | Tools |
---|---|
PW.9.1: Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services. PW.9.2: Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators. |
|
Ortelius
Continuously monitors drift in container configurations. |
|
Inspec
Compare deployed systems against secure configuration baselines (NIST, CIS, STIG) |
|
OpenSCAP
Compare deployed systems against secure configuration baselines (NIST, CIS, STIG). |
|
Falco
Continuously monitor config changes; alert or auto-remediate deviations. |
|
Wazuh
Drift detection logs, remediation actions. |
|
Ansible
Policy-as-code and config management to ensure all deployments match baseline |
|
Saltstack
Config playbooks, enforcement logs, policy change history. |
|
Git
Store signed scan results and drift detection records in tamper-evident systems. |