• SDL Process: Implementation

  • The focus of this phase is helping the end user make informed decisions about the most secure ways to deploy the software. It's also the time to establish best practices for detecting and removing security issues from the code.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

Previous previous phase
next phase Next
  • SDL Practice #8: Use Approved Tools
  • Publishing a list of approved tools and associated security checks (such as compiler/linker options and warnings) helps automate and enforce security practices easily at a low cost. Keeping the list regularly updated means the latest tool versions are used and allows inclusion of new security analysis functionality and protections.
  • When should this practice be implemented?
  • Traditional Software development: Implementation Phase
    Agile development: Every Sprint

  • SDL Practice #9: Deprecate Unsafe Functions
  • Analyzing all project functions and APIs and banning those determined to be unsafe helps reduce potential security bugs with very little engineering cost. Specific actions include using header files, newer compilers, or code scanning tools to check code for functions on the banned list, and then replacing them with safer alternatives.
  • When should this practice be implemented?
  • Traditional Software development: Implementation Phase
    Agile development: Every Sprint
  • SDL Practice #10: Perform Static Analysis
  • Analyzing the source code prior to compilation provides a scalable method of security code review and helps ensure that secure coding policies are being followed.
  • When should this practice be implemented?
  • Traditional Software development: Implementation Phase
    Agile development: Every Sprint