Produce Well-Secured Software (PW) in the Post-Deployment CI/CD Steps

Produce Well-Secured Software (PW)

Organizations should produce well-secured software with minimal security vulnerabilities in its releases.


PW.1

Design Software to Meet Security Requirements and Mitigate Security Risks: Identify and evaluate the security requirements for the software; determine what security risks the software is likely to face during operation and how the software’s design and architecture should mitigate those risks; and justify any cases where risk-based analysis indicates that security requirements should be relaxed or waived. Addressing security requirements and risks during software design (secure by design) is key for improving software security and also helps improve development efficiency.


To satisfy SSDF PW.1 in a post-deployment context using open-source tools, the focus shifts to:

  • Keeping a tamper-proof record of every software component in each release

  • Ensuring provenance data remains accessible for audits, investigations, and vulnerability response

  • Allowing acquirers and downstream users to independently verify the origin and integrity of every component

Tasks Tools

PW.1.1: Use forms of risk modeling, such as threat modeling, attack modeling, or attack surface mapping to help assess the security risk for the software.


PW.1.2: Track and maintain the software’s security requirements, risks, and design decisions.


PW.1.3: Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services.

Semgrep

Static and Dynamic Analysis that an be run against deployed codebases in staging mirrors to detect insecure patterns.

Wapiti

Web application security scanner for deployed apps.

Zap (Zed Attack Proxy)

Active and passive testing of live apps for vulnerabilities.

Inspec

Validates that deployed applications meet secure coding standards.

Ortelius

10 minute synchronizing to OSV.dev for new vulnerability detection in deployed artifacts.

OpenSCAP

Scans systems for compliance with security coding-related baselines.

Falco

Logging and Monitoring - Detects insecure behavior at runtime (e.g., unsafe system calls).

Wazuh

Monitors application and OS logs for security-related events.

AuditD

Captures low-level system calls related to code execution.

Syft

Generates SBOMs for deployed applications for ongoing monitoring.

OWASP Dependency-Track

Continuously tracks SBOMs for new vulnerabilities

Trivy

Scans deployed containers/filesystems for known CVEs in code and dependencies.

Grype

Focused vulnerability scanning for deployed artifacts.

PW.2

Review the Software Design to Verify Compliance with Security Requirements and Risk Information:Help ensure that the software will meet the security requirements and satisfactorily address the identified risk information.


To satisfy SSDF PW.2 in a post-deployment context using open-source tools, the focus shifts to:

  • Continuous verification that deployed code (source or binary) hasn’t been tampered with.

  • Ongoing vulnerability assessment of deployed applications and components.

  • Post-release code review triggers when a vulnerability or incident is detected.

  • Auditable evidence that deployed software matches approved, reviewed code.

Tasks Tools

PW.2.1: Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

Sigstore Cosign

Verify deployed containers and binaries were signed at build time.

Rekore

Store verification data and attestations in a tamper-evident log.

In-Toto

Ensure deployed code matches the reviewed build pipeline steps.

Tripwire OSS

Monitor deployed files for unauthorized changes.

Semgrep

Review mirrored deployed code for security issues or policy violations.

GitHub CodeQL

Advanced code queries to detect vulnerability patterns.

Wapiti

Web vulnerability scanning against deployed endpoints.

Ortelius

Track vulnerabilities to live endpoints for quick remediation times.

Zap (Zed Attack Proxy)

Automated and manual DAST testing for live applications.

Nikto

Server-focused vulnerability scanning.

OpenSCAP

Map results to compliance baselines.

DefectDojo

Track vulnerabilities found during post-deployment reviews and link to remediation./p>


PW.4

Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality : Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.


Note: PW.3 moved to PW.4


To satisfy SSDF PW.4 in a post-deployment context using open-source tools, the focus shifts to:

  • Vulnerability detection runs continuously on production or production-equivalent environments.

  • Results are triaged and assigned quickly.

  • There is an automated or semi-automated path to remediation (e.g., patching, image rebuild, or component upgrade).

  • All activity is auditable and linked to release artifacts.

Tasks Tools

PW.4.1: Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, opensource, and other third-party developers for use by the organization’s software.


PW.4.2: Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.


PW.4.3: Moved to PW.1.3


PW.4.4: Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

Git

Stores signed vulnerability reports and patch commit metadata.

Rekore

Logs scan results, remediations, and signatures immutably.

Ortelius

Audit and evidence retention tracks which environments are running which version, enabling targeted redeployment of patched builds.

Trivy

Scans running containers, filesystems, and Kubernetes clusters; also generates SBOMs.

Grype

SBOM-driven vulnerability scanning for images and directories.

Clair

Monitors container registries for vulnerable images.

OpenVAS / Greenbone

Network and host vulnerability scanning.

Syft

Generates SBOMs from deployed environments.

OWASP Dependency-Track

CWatches SBOMs for new CVEs and policy violations.

Vulnix

Nix-based vulnerability scanning from SBOM input.

Kyverno

Kubernetes-native admission controller enforcing vulnerability thresholds.

Falco

Detects runtime anomalies that may indicate exploitation.

Nikto

Server-focused vulnerability scanning.

Keel

Automates container redeployments when a new image is pushed.

Kured

Automated Kubernetes node reboots for kernel patching.

DefectDojo

Centralizes vulnerability data from scanners; assigns remediation tasks and tracks SLAs./p>

The Hive

Incident response and coordination for urgent vulnerability events./p>

PW.5

Create Source Code by Adhering to Secure Coding Practices: Decrease the number of security vulnerabilities in the software, and reduce costs by minimizing vulnerabilities introduced during source code creation that meet or exceed organization-defined vulnerability severity criteria.


To satisfy SSDF PW.5 in a post-deployment context using open-source tools, the focus shifts to:

  • Ongoing verification of integrity, compliance, and security posture for deployed software.

  • Continuous checks to ensure that the running software still meets the security requirements it had at release.

  • Detecting drift, newly introduced vulnerabilities, and configuration changes.

  • Maintaining verifiable evidence of these checks over time.

Tasks Tools

PW.5.1: Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.

Trivy

Ongoing scans of deployed containers, filesystems, and Kubernetes clusters.

Grype

Detect CVEs in deployed SBOMs or images.

Clair

Continuous vulnerability scanning for registry images.

Syft

Generate SBOMs from running systems for ongoing monitoring.

Inspec

Define and run compliance checks (CIS, NIST, org-specific policies) against deployed environments.

OpenSCAP

Evaluate running systems against security baselines.

Kube-bench

Validate Kubernetes deployments against CIS benchmarks.

Kube-hunter

Identify potential attack paths in deployed Kubernetes clusters.

Falco

Detect runtime changes to files, processes, and network behavior.

AIDE

File integrity monitoring to ensure binaries/configs aren’t altered.

osquery

Query system state to detect unauthorized configuration changes.

Open Policy Agent

Enforce continuous compliance policies at runtime.

Kyverno

Kubernetes-native policy engine to prevent insecure updates.

DefectDojo

Centralize verification results and track issues over time./p>

Rekor

Store signed verification reports in a tamper-proof ledger.

PW.6

Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security: Decrease the number of security vulnerabilities in the software and reduce costs by eliminating vulnerabilities before testing occurs.


To satisfy SSDF PW.6 in a post-deployment context using open-source tools, the focus shifts to:

  • Running scheduled scans on running containers, VMs, and registries; integrate with SBOM monitoring

  • Maintain SBOMs for deployed software; monitor for new CVEs.

  • Score findings (CVSS, EPSS); prioritize fixes based on severity & exploitability.

  • Auto-rebuild/redeploy when patched images are available.

Tasks Tools

PW.6.1: Use compiler, interpreter, and build tools that offer features to improve executable security.


PW.6.2: Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

Trivy

Trivy runs weekly scans on all production container images and hosts → results are signed and logged in Rekor.

Syft

Regenerates SBOMs for deployed artifacts, and flags new CVEs.

DefectDojo

CVSS scoring + SLA assignment to owners./p>

Keel

Auto-rebuild/redeploy when patched images are available

Kured

Automated Kubernetes node reboots for kernel patching.

Argo Rollouts

Use canary/staged rollouts for patched versions.

OpenVAS

Run scheduled scans on running containers, VMs, and registries; integrate with SBOM monitoring

Rekor

Store signed records of detection, triage, fix, and verification

PW.7

Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements: Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human readable.


To satisfy SSDF PW.7 in a post-deployment context using open-source tools, the focus shifts to:

  • Maintain a record showing that the deployed version went through the organization’s required code review and/or automated analysis process.

  • Ensure all emergency/hotfix patches pushed post-deployment are also reviewed or analyzed — even if done after release.

  • Maintain Audit-Ready Evidence

Tasks Tools

PW.7.1: Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.


PW.7.2: Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

Semgrep

Run SAST against the exact code linked to deployed binaries; include dependency scanning

GitHub CodeQL

Re-run code analysis on production mirrors.

DefectDojo

Keeps immutable records of all reviews, approvals, and automated analysis runs

Rekor

Signed commits, protected branch history, scan results.

PW.8

Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements: Help identify vulnerabilities so that they can be corrected before the software is released in order to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities and improves traceability and repeatability. Executable code includes binaries, directly executed bytecode and source code, and any other form of code that an organization deems executable.


To satisfy SSDF PW.8 in a post-deployment context using open-source tools, the focus shifts to:

  • Continuously Test Deployed Executables for Vulnerabilities

  • Verify Compliance with Security Requirements

  • Feed Findings Back into Development

Tasks Tools

PW.8.1: Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.


PW.8.2: Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

Trivy

Scans deployed containers/filesystems for known CVEs in code and dependencies.

Grype

Focused vulnerability scanning for deployed artifacts.

Ortelius

10 minute synchronizing to OSV.dev for new vulnerability detection in deployed artifacts.

OpenVAS / Greenbone

Network and host vulnerability scanning.

Inspec

Map scan results to security standards (NIST, CIS, OWASP ASVS)

OpenSCAP

Compliance scan outputs, baseline profiles, exception docs.

Wapiti

DAST, fuzzing, and runtime monitoring to detect insecure behavior

Zap (Zed Attack Proxy)

DAST/fuzzing reports.

PW.9

Configure Software to Have Secure Settings by Default: Help improve the security of the software at the time of installation to reduce the likelihood of the software being deployed with weak security settings, putting it at greater risk of compromise.


To satisfy SSDF PW.9 in a post-deployment context using open-source tools, the focus shifts to:

  • Check deployed software and infrastructure against the organization’s secure configuration baseline (e.g., NIST 800-53, CIS Benchmarks, DISA STIGs).

  • Use policy-as-code and configuration management tools to keep deployed systems in compliance.

  • Integrate configuration checks into runtime monitoring

Tasks Tools

PW.9.1: Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.


PW.9.2: Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.

Ortelius

Continuously monitors drift in container configurations.

Inspec

Compare deployed systems against secure configuration baselines (NIST, CIS, STIG)

OpenSCAP

Compare deployed systems against secure configuration baselines (NIST, CIS, STIG).

Falco

Continuously monitor config changes; alert or auto-remediate deviations.

Wazuh

Drift detection logs, remediation actions.

Ansible

Policy-as-code and config management to ensure all deployments match baseline

Saltstack

Config playbooks, enforcement logs, policy change history.

Git

Store signed scan results and drift detection records in tamper-evident systems.

Last modified August 13, 2025