| Phases | Requirements | Release 1 |
|---|---|---|
| Requirements | Determine if the project is subject to SDL policy | X |
| Identify security advisor and security champion | X | |
| Define security bug bar | X | |
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X | |
| Security and privacy risk assessment | X | |
| Write Security plan document | ||
| Design | Security design review | X |
| Threat modeling | X | |
| Follow cryptograph requirements | X | |
| Write security architecture document | ||
| Minimize default attack surface | ||
| Enable least privilege | ||
| Default secure | ||
| Consider a defense-in-depth approach | ||
| Examine past vulnerabilities in previous version of the project | ||
| Deprecate outdated functionality | ||
| Conduct a security review of source code | ||
| Ensure appropriate logging | ||
| Hardware security design review | ||
| Enforce strong log-out and session management | ||
| Follow NEAT security user experience guidance | ||
| Improve security-related prompts | ||
| Implementation | Establish and follow best practices | X |
| Run static analysis tool | X | |
| Verification | Dynamic analysis | X |
| Fuzz testing (File parsing, RPC, network) | X | |
| Kernel-model driver test | X | |
| Risk and attack surface review | ||
| Cross-site scripting testing | X | |
| Penetration test | ||
| Binary analysis | ||
| Vulnerability regression test | ||
| Data flow test | ||
| Reply test | ||
| Input validation test | ||
| Privacy test | ||
| Secure code review | ||
| Security push | ||
| Release | Incident and response plan | X |
| Review and update the privacy companion form | X | |
| Complete the privacy disclosure | X | |
| Final security and privacy review | X | |
| Patch deployment tools | X |
Overview
Content Tools