You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 2
Next »
Phases | Requirements | Release 1 |
---|
Requirements | Determine if the project is subject to SDL policy | X |
| Identify security advisor and security champion | X |
| Define security bug bar | X |
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X |
| Security and privacy risk assessment | X |
| Write Security plan document |
|
Design | Security design review | X |
| Threat modeling | X |
| Follow cryptograph requirements | X |
| Write security architecture document |
|
| Minimize default attack surface |
|
| Enable least privilege |
|
| Default secure |
|
| Consider a defense-in-depth approach |
|
| Examine past vulnerabilities in previous version of the project |
|
| Deprecate outdated functionality |
|
| Conduct a security review of source code |
|
| Ensure appropriate logging |
|
| Hardware security design review |
|
| Enforce strong log-out and session management |
|
| Follow NEAT security user experience guidance |
|
| Improve security-related prompts |
|
Implementation | Establish and follow best practices | X |
| Run static analysis tool | X |
Verification | Dynamic analysis | X |
| Fuzz testing (File parsing, RPC, network) | X |
| Kernel-model driver test | X |
| Risk and attack surface review |
|
| Cross-site scripting testing | X |
| Penetration test |
|
| Binary analysis |
|
| Vulnerability regression test |
|
| Data flow test |
|
| Reply test |
|
| Input validation test |
|
| Privacy test |
|
| Secure code review |
|
| Security push |
|
Release | Incident and response plan | X |
| Review and update the privacy companion form | X |
| Complete the privacy disclosure | X |
| Final security and privacy review | X |
| Patch deployment tools | X |