Release Tags:
tc:approved-release
stable:follows-policy
assert:supports-upgrade
assert:supports-accessible-upgrade
assert:supports-rolling-upgrade
assert:follows-standard-deprecation
There are 3 fields in a numbered release tag: 0.1.1, where first follows even numbers for stable release, odd numbers for development release for big changes; second follows even numbers for stable release, odd numbers for development release for small updates; third field follows by non-negative numbers for each patch version.
| Phases | Requirements | Release 1 Feature Project | Release 1 Integration Project |
|---|---|---|---|
| Requirements | Determine if the project is subject to SDL policy | X | X |
| Identify security advisor and security champion | X | ||
| Define security bug bar | X | X | |
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X | ||
| Security and privacy risk assessment | X | ||
| Write Security plan document | |||
| Design | Security design review | X | |
| Threat modeling | X | X | |
| Follow cryptograph requirements | X | X | |
| Write security architecture document | |||
| Minimize default attack surface | |||
| Enable least privilege | X | X | |
| Default secure | X | X | |
| Consider a defense-in-depth approach | |||
| Examine past vulnerabilities in previous version of the project | |||
| Deprecate outdated functionality | |||
| Conduct a security review of source code | |||
| Ensure appropriate logging | X | X | |
| Hardware security design review | |||
| Enforce strong log-out and session management | |||
| Follow NEAT security user experience guidance | |||
| Improve security-related prompts | |||
| Implementation | Establish and follow best practices | X | X |
| Run static analysis tool | X | X | |
| Validation | Dynamic analysis | X | |
| Fuzz testing (File parsing, RPC, network) | X | X | |
| Kernel-model driver test | X | X | |
| Risk and attack surface review | |||
| Cross-site scripting testing | X | X | |
| Penetration test | |||
| Binary analysis | |||
| Vulnerability regression test | |||
| Data flow test | |||
| Reply test | |||
| Input validation test (Symbolic Execution) | |||
| Privacy Model Checking (Information Flow Self-Composite Verification) | |||
| Secure code review | |||
| Security push | |||
| Release | Incident and response plan | X | X |
| Review and update the privacy companion form | X | X | |
| Complete the privacy disclosure | X | X | |
| Final security and privacy review | X | ||
| Patch deployment tools | X | X | |
| Release note with security disclosure | X | X |