• SDL Process: Design

  • This phase is critical for establishing best practices around design and functional specifications and performing risk analysis that will help mitigate security and privacy issues throughout a project.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

Previous previous phase
next phase Next
  • SDL Practice #5: Establish Design Requirements
  • Addressing security and privacy concerns early helps minimize the risk of schedule disruptions and reduce a project's expense.
  • Validating all design specifications against a functional specification involves accurate and complete design specifications, including minimal cryptographic design requirements and a specification review.
  • When should this practice be implemented?
  • Traditional Software development: Design Phase
    Agile development: One Time
  • SDL Practice #6: Perform Attack Surface Analysis/Reduction
  • Reducing the opportunities for attackers to exploit a potential weak spot or vulnerability requires thoroughly analyzing overall attack surface and includes disabling or restricting access to system services, applying the principle of least privilege, and employing layered defenses wherever possible.
  • When should this practice be implemented?
  • Traditional Software development: Design Phase
    Agile development: Bucket/Planning
  • SDL Practice #7: Use Threat Modeling
  • Applying a structured approach to threat scenarios during design helps a team more effectively and less expensively identify security vulnerabilities, determine risks from those threats, and establish appropriate mitigations.
  • When should this practice be implemented?
  • Traditional Software development: Design Phase
    Agile development: Every Sprint