| Phases | Requirements | Release 1 |
|---|---|---|
| Requirements | Determine if the project is subject to SDL policy | X |
| Identify security advisor and security champion | X | |
| Define security bug bar | X | |
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X | |
| Security and privacy risk assessment | X | |
| Write Security plan document | ||
| Design | Security design review | X |
| Threat modeling | X | |
| Follow cryptograph requirements | X | |
| Write security architecture document | ||
| Minimize default attack surface | ||
| Enable least privilege | ||
| Default secure | ||
| Consider a defense-in-depth approach | ||
| Examine past vulnerabilities in previous version of the project | ||
| Deprecate outdated functionality | ||
| Conduct a security review of source code | ||
| Ensure appropriate logging | ||
| Hardware security design review | ||
| Enforce strong log-out and session management | ||
| Follow NEAT security user experience guidance | ||
| Improve security-related prompts | ||
| Implementation | Establish and follow best practices | X |
| Run static analysis tool | X | |
| Verification | Dynamic analysis | |
| Fuzz testing | ||
| Kernel-model driver test | ||
| Risk and attack surface review | ||
| Penetration test | ||
| Release | Incident and response plan | |
| Final security review | ||
| Release & Archive | ||
| Patch deployment tools |
Overview
Content Tools