• SDL Process: Verification

  • This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases.

Training

Requirements

Design

Implementation

Verification

Release

Response

  1. Core Security Training

  1. Establish Security Requirements

  1. Create Quality Gates/Bug Bars

  1. Perform Security and Privacy Risk Assessments

  1. Establish Design Requirements

  1. Perform Attack Surface Analysis/ Reduction

  1. Use Threat Modeling

  1. Use Approved Tools

  1. Deprecate Unsafe Functions

  1. Perform Static Analysis

  1. Perform Dynamic Analysis

  1. Perform Fuzz Testing

  1. Conduct Attack Surface Review

  1. Create an Incident Response Plan

  1. Conduct Final Security Review

  1. Certify Release and Archive

  1. Execute Incident Response Plan

Previous previous phase
next phase Next
  • SDL Practice #11: Perform Dynamic Analysis
  • Performing run-time verification of your software checks functionality using tools that monitor application behavior for memory corruption, user privilege issues, and other critical security problems.
  • When should this practice be implemented?
  • Traditional Software development: Verification Phase
    Agile development: Bucket Verification
  • SDL Practice #12: Perform Fuzz Testing
  • Inducing program failure by deliberately introducing malformed or random data to an application helps reveal potential security issues prior to release while requiring modest resource investment.
  • When should this practice be implemented?
  • Traditional Software development: Verification Phase
    Agile development: Bucket Verification
  • SDL Practice #13: Conduct Attack Surface Review
  • Reviewing attack surface upon code completion helps ensure that any design or implementation changes to an application or system have been taken into account, and that any new attack vectors created as a result of the changes have been reviewed and mitigated including threat models.
  • When should this practice be implemented?
  • Traditional Software development: Requirements Phase
    Agile development: Bucket Verification