Contents xi
8.6 PRSA5: Security Architectural Reviews and
Tool-Based Assessments of Current, Legacy,
and M&A Products and Solutions 243
8.6.1 Legacy Code 243
8.6.2 Mergers and Acquisitions (M&As) 247
8.7 Key Success Factors 248
8.8 Deliverables 251
8.9 Metrics 252
8.10 Chapter Summary 252
References 253
Chapter 9 Applying the SDL Framework to the
Real World 255
9.0 Introduction 256
9.1 Build Software Securely 261
9.1.1 Produce Secure Code 264
9.1.2 Manual Code Review 269
9.1.3 Static Analysis 271
9.2 Determining the Right Activities for Each Project 275
9.2.1 The Seven Determining Questions 275
9.3 Architecture and Design 292
9.4 Testing 302
9.4.1 Functional Testing 303
9.4.2 Dynamic Testing 304
9.4.3 Attack and Penetration Testing 309
9.4.4 Independent Testing 311
9.5 Agile: Sprints 312
9.6 Key Success Factors and Metrics 317
9.6.1 Secure Coding Training Program 317
9.6.2 Secure Coding Frameworks (APIs) 318
9.6.3 Manual Code Review 318
9.6.4 Independent Code Review and Testing
(by Experts or Third Parties) 318
9.6.5 Static Analysis 319
9.6.6 Risk Assessment Methodology 319
9.6.7 Integration of SDL with SDLC 319
9.6.8 Development of Architecture Talent 319
9.7 Metrics 320
9.8 Chapter Summary 321
References 323