• SDL Process: Requirements

  • The project inception phase is the best time for a development team to consider foundational security and privacy issues and to analyze how to align quality and regulatory requirements with costs and business needs.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

Previous
Next
  • SDL Practice #2: Establish Security and Privacy Requirements
  • Defining and integrating security and privacy requirements early helps make it easier to identify key milestones and deliverables and minimize disruptions to plans and schedules.
  • Security and privacy analysis includes assigning security experts, defining minimum security and privacy criteria for an application, and deploying a security vulnerability/work item tracking system.
  • When should this practice be implemented?
  • Traditional Software development: Requirements Phase
    Agile development: One Time
  • SDL Practice #3: Create Quality Gates/Bug Bars
  • Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project.
  • Setting a meaningful bug bar involves clearly defining the severity thresholds of security vulnerabilities (for example, no known vulnerabilities in the application with a “critical” or “important” rating at time of release) and never relaxing it once it's been set.
  • When should this practice be implemented?
  • Traditional Software development: Requirements Phase
    Agile development: One Time
  • SDL Practice #4: Perform Security and Privacy Risk Assessments
  • Examining software design based on costs and regulatory requirements helps a team identify which portions of a project will require threat modeling and security design reviews before release and determine the Privacy Impact Rating of a feature, product, or service.
  • When should this practice be implemented?
  • Traditional Software development: Requirements Phase
    Agile development: One Time