351
Appendix
Key Success Factors,
Deliverables, and
Metrics for Each Phase
of Our SDL Model
In Chapters 3 through 7, we have outlined key success factors, deliverables,
and metrics that should be captured as part of our Security Development
Lifecycle (SDL) model. In Chapter 8, the SDL post-release phase, we out-
line the key deliverables and metrics. The key success factors, deliverables,
and metrics are not set in stone and may need to be tweaked as you map
the SDL to your own Software Development Lifecycle (SDLC). In this
Appendix, we have summarized (in tabular form for your quick reference)
the key success factors, deliverables, and metrics that we have outlined in
Chapters 3 through 8.
Table A.1 Key Success Factors for Each Phase of the SDL
Phase Key Success Factor Description
Security Assessment (A1): SDL
Activities and Best Practices
1. Accuracy of planned SDL activities All SDL activities are accurately identified.
2. Product risk profile Management understands the true cost of developing the product.
3. Accuracy of threat profile Mitigating steps and countermeasures are in place for the product
to be successful in its environment.
4. Coverage of relevant regulations,
certifications, and compliance
frameworks
All applicable legal and compliance aspects are covered.
5. Coverage of security objectives
needed for software
“Must have” security objectives are met.
Architecture (A2): SDL Activities
and Best Practices
1. Identification of business
requirements and risks
Mapping of business requirements and risks defined in terms of
CIA
2. Effective threat modeling Identifying threats for the software
3. Effective architectural threat analysis Analysis of threats to the software and probability of threat
materializing
4. Effective risk mitigation strategy Risk acceptance, tolerance, and mitigation plan per business
requirements
5. Accuracy of DFDs Data flow diagrams used during threat modeling
Design and Development (A3):
SDL Activities and Best Practices
1. Comprehensive security test plan Mapping types of security testing required at different stages of
SDLC
2. Effective threat modeling Identifying threats to the software
3. Design security analysis Analysis of threats to various software components
4. Privacy implementation assessment Effort required for implementation of privacy-related controls
based on assessment
5. Policy compliance review (updates) Updates for policy compliance as related to Phase 3
Design and Development (A4):
SDL Activities and Best Practices
1. Security test case execution Coverage of all relevant test cases
2. Security testing Completion of all types of security testing and remediation of
problems found
3. Privacy validation and remediation Effectiveness of privacy-related controls and remediation of any
issues found
4. Policy compliance review Updates for policy compliance as related to Phase 4
Ship (A5): SDL Activities and
Best Practices
1. Policy compliance analysis Final review of security and compliance requirements during
development process
2. Vulnerability scanning Scanning software stack for identifying security issues
3. Penetration testing Exploiting any/all security issues on software stack
4. Open-source licensing review Final review of open-source software used in the stack
5. Final security review Final review of compliance against all security requirements
identified during SDL cycle
6. Final privacy review Final review of compliance against all privacy requirements
identified during SDL cycle
7. Customer engagement framework Framework that defines process for sharing security related
information with customers
Table A.2 Deliverables for Each Phase of the SDL
Phase Deliverable Goal
Security Assessment (A1): SDL
Activities and Best Practices
Product risk profile Estimate actual cost of the product.
SDL project outline Map SDL to development schedule.
Applicable laws and regulations Obtain formal sign-off from stakeholders on applicable laws.
Threat profile Guide SDL activities to mitigate threats.
Certification requirements List requirements for product and operations certifications.
List of third-party software Identify dependence on third-party software.
Metrics template Establish cadence for regular reporting to executives.
Business requirements Software requirements, including CIA
Threat modeling artifacts Data flow diagrams, elements, threat listing
Architecture threat analysis Prioritization of threats and risks based on threat analysis
Risk mitigation plan Plan to mitigate, accept, or tolerate risk
Policy compliance analysis Analysis of adherence to company policies
Design and Development (A3):
SDL Activities and Best Practices
Updated threat modeling artifacts Data flow diagrams, elements, threat listing
Design security review Modifications to design of software components based on
security assessments
Security test plans Plan to mitigate, accept, or tolerate risk
Updated policy compliance analysis Analysis of adherence to company policies
Privacy implementation assessment results Recommendations from privacy assessment
Design and Development (A4):
SDL Activities and Best Practices
Security test execution report Review progress against identified security test cases
Updated policy compliance analysis Analysis of adherence to company policies
Privacy compliance report Validation that recommendations from privacy assessment have
been implemented
Security testing reports Findings from different types of security testing
Remediation report Provide status on security posture of product
Ship (A5): SDL Activities and Best
Practices
Updated policy compliance analysis Analysis of adherence to company policies
Security testing reports Findings from different types of security testing in this phase of
SDL
Remediation report Provide status on security posture of product
Open-source licensing review report Review of compliance with licensing requirements if open-
source software is used
Final security and privacy review reports Review of compliance with security and privacy requirements
Customer engagement framework Detailed framework to engage customers during different
stages of product life cycle
Post-Release Support (PRSA1–5) External vulnerability disclosure response
process
Process to define evaluation and communication of security
vulnerabilities
Post-release certifications Certifications from external parties to demonstrate security
posture of products/services
Third-party security reviews Security assessments performed by groups other than internal
testing teams
Security strategy and process for legacy
code, M&A, and EOL plans
Strategy to mitigate security risk from legacy code and M&As
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.