SDL Process: Release

The focus of this phase is readying a project for public release, including planning ways to effectively perform post-release servicing tasks and address security or privacy vulnerabilities that may occur later.

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

SDL Practice #14: Create an Incident Response Plan

Preparing an Incident Response Plan is crucial for helping to address new threats that can emerge over time. It includes identifying appropriate security emergency contacts and establishing security servicing plans for code inherited from other groups within the organization and for licensed third-party code.

When should this practice be implemented?

Traditional Software development: Release Phase
Agile development: One Time

SDL Practice #15: Conduct Final Security Review

Deliberately reviewing all security activities that were performed helps ensure software release readiness. The Final Security Review (FSR) usually includes examining threat models, tools outputs, and performance against the quality gates and bug bars defined during the Requirements Phase.

The FSR results in one of three different outcomes: Passed FSR, Passed FSR with exceptions, FSR with escalation.

When should this practice be implemented?

Traditional Software development: Release Phase
Agile development: Every Sprint

    • VIDEOS
      • SDL Process Template
        SDL Process Template
        Watch this short video to learn more about the SDL Process Template. The SDL Process Template is one of many free templates and tools available in the Microsoft SDL Toolset. The SDL Process teamplate is a downloadable template that leverages the technology of Visual Studio Team System (VSTS) and Team Foundation Server (TFS) to automatically integrate the policy, process and tools associated with the Security Development Lifecycle version into your software development environment.
        Run Time:        7:28
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • MSF-Agile+SDL Process Template
        MSF-Agile + SDL Process Template
        Watch this short video to learn more about the MSF-Agile+SDL Process Template. The MSF-Agile+SDL Template is one of many templates and tools available to help you implement the Microsoft SDL. MSF-Agile+SDL Process Template is a Team Foundation Server downloadable template that automatically incorporates the policy, process and tools associated with the SDL for Agile development guidance into the familiar Microsoft Solutions Framework (MSF) for Agile software development (MSF-Agile) process template that ships with Visual Studio Team System.
        Run Time:        6:30
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail

SDL Practice #16: Certify Release and Archive

Certifying software prior to a release helps ensure security and privacy requirements were met. Archiving all pertinent data is essential for performing post-release servicing tasks and helps lower the long-term costs associated with sustained software engineering.

Archiving should include all specifications, source code, binaries, private symbols, threat models, documentation, emergency response plans, and license and servicing terms for any third-party software.

When should this practice be implemented?

Traditional Software development: Release Phase
Agile development: Every Sprint

    • VIDEOS
      • SDL Process Template
        SDL Process Template
        Watch this short video to learn more about the SDL Process Template. The SDL Process Template is one of many free templates and tools available in the Microsoft SDL Toolset. The SDL Process teamplate is a downloadable template that leverages the technology of Visual Studio Team System (VSTS) and Team Foundation Server (TFS) to automatically integrate the policy, process and tools associated with the Security Development Lifecycle version into your software development environment.
        Run Time:        7:28
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail
      • MSF-Agile+SDL Process Template
        MSF-Agile + SDL Process Template
        Watch this short video to learn more about the MSF-Agile+SDL Process Template. The MSF-Agile+SDL Template is one of many templates and tools available to help you implement the Microsoft SDL. MSF-Agile+SDL Process Template is a Team Foundation Server downloadable template that automatically incorporates the policy, process and tools associated with the SDL for Agile development guidance into the familiar Microsoft Solutions Framework (MSF) for Agile software development (MSF-Agile) process template that ships with Visual Studio Team System.
        Run Time:        6:30
        Uploaded:        12/07/10
        Share it:          Linked InTwitterFacebookDiggEmail