SDL Process: Training

A commitment to understanding security basics and the latest developments in security and privacy can greatly help organizations reduce the number and severity of exploitable software vulnerabilities, and react appropriately to ever-changing threat landscapes.

Training
  • Core Security Training
Requirements
  • Establish Security Requirements
  • Create Quality Gates/Bug Bars
  • Perform Security and Privacy Risk Assessments
Design
  • Establish Design Requirements
  • Perform Attack Surface Analysis/ Reduction
  • Use Threat Modeling
Implementation
  • Use Approved Tools
  • Deprecate Unsafe Functions
  • Perform Static Analysis
Verification
  • Perform Dynamic Analysis
  • Perform Fuzz Testing
  • Conduct Attack Surface Review
Release
  • Create an Incident Response Plan
  • Conduct Final Security Review
  • Certify Release and Archive
Response
  • Execute Incident Response Plan

SDL Practice #1: Core Security Training

This practice is a prerequisite for implementing the SDL. Foundational concepts for building better software include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy.

When should this practice be implemented?

Software development team members in technical roles (developers, testers, and program managers) must attend at least one unique security training class each year. For training that is relevant to each development phase, see Recommended Training below.