...
Phases | Requirements | Release 1 |
---|---|---|
Requirements | Determine if the project is subject to SDL policy | X |
Identify security advisor and security champion | X | |
Define security bug bar | X | |
Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X | |
Security and privacy risk assessment | X | |
Write Security plan document | ||
Design | Security design review | X |
Threat modeling | X | |
Follow cryptograph requirements | X | |
Write security architecture document | ||
Minimize default attack surface | ||
Enable least privilege | ||
Default secure | ||
Consider a defense-in-depth approach | ||
Examine past vulnerabilities in previous version of the project | ||
Deprecate outdated functionality | ||
Conduct a security review of source code | ||
Ensure appropriate logging | ||
Hardware security design review | ||
Enforce strong log-out and session management | ||
Follow NEAT security user experience guidance | ||
Improve security-related prompts | ||
Implementation | Establish and follow best practices | X |
Run static analysis tool | X | |
Verification | Dynamic analysis | X |
Fuzz testing (File parsing, RPC, network) | X | |
Kernel-model driver test | X | |
Risk and attack surface review | ||
Cross-site scripting testing | X | |
Penetration test | ||
Binary analysis | ||
Vulnerability regression test | ||
Data flow test | ||
Reply test | ||
Input validation test | ||
Privacy test | ||
Secure code review | ||
Security push | ||
Release | Incident and response plan | X |
Review and update the privacy companion form | X | |
Complete the privacy disclosure | X | |
Final security and privacy reviewRelease & Archive | X | |
Patch deployment tools | X |