|
The Incident Response Plan identifies the appropriate points of contact in case of a security emergency. It also includes security servicing plans for code inherited from other groups within the organization and for licensed third-party code.
|
The Final Security Review (FSR) is a deliberate examination of all security activities performed on software prior to release. The FSR usually includes an examination of threat models, tools outputs, and performance against the quality gates and bug bars defined during the Requirements Phase. The FSR results in one of three different outcomes: Passed FSR, Passed FSR with exceptions, FSR with escalation.
|
Certify that the project team has satisfied the security and privacy requirements prior to software release and archive all pertinent information and data, including specifications, source code, binaries, private symbols, threat models, documentation, emergency response plans, and license and servicing terms for any third-party software.
|
|
Even programs with no known vulnerabilities at the time of release can be subject to new threats that emerge over time.
|
The FSR determines whether the software meets the security requirements and is secure enough for release.
|
Archiving pertinent data and information is necessary to perform post-release servicing tasks and lower long-term costs associated with sustained software engineering.
|
|
Traditional software development: Release Phase
Agile development: One Time
|
Traditional software development: Release Phase
Agile development: Every Sprint
|
Traditional software development: Release Phase
Agile development: Every Sprint
|
