You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Next »
Phases | Requirements | Release 1 |
---|
Requirements | Determine if the project is subject to SDL policy | X |
| Identify security advisor and security champion | X |
| Define security bug bar | X |
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X |
| Security and privacy risk assessment | X |
| Write Security plan document |
|
Design | Security design review | X |
| Threat modeling | X |
| Follow cryptograph requirements | X |
| Write security architecture document |
|
| Minimize default attack surface |
|
| Enable least privilege |
|
| Default secure |
|
| Consider a defense-in-depth approach |
|
| Examine past vulnerabilities in previous version of the project |
|
| Deprecate outdated functionality |
|
| Conduct a security review of source code |
|
| Ensure appropriate logging |
|
| Hardware security design review |
|
| Enforce strong log-out and session management |
|
| Follow NEAT security user experience guidance |
|
| Improve security-related prompts |
|
Implementation | Establish and follow best practices | X |
| Run static analysis tool | X |
Verification | Dynamic analysis |
|
| Fuzz testing |
|
| Kernel-model driver test |
|
| Risk and attack surface review |
|
|
|
|
| Penetration test |
|
|
|
|
|
|
|
Release | Incident and response plan |
|
| Final security review |
|
| Release & Archive |
|
| Patch deployment tools |
|