SDL Process: Response

This post-release phase centers on the development team being able and available to respond appropriately to any reports of emerging software threats and vulnerabilities.

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

SDL Practice #17: Execute Incident Response Plan

Being able to implement the Incident Response Plan instituted in the Release phase is essential to helping protect customers from software security or privacy vulnerabilities that emerge.

Delivering security updates and authoritative security guidance, the Microsoft Security Response Center (MSRC) is a global team working around the clock to identify, monitor, and resolve security incidents and Microsoft software security vulnerabilities.