Table A.1 Key Success Factors for Each Phase of the SDL
Phase Key Success Factor Description
Security Assessment (A1): SDL
Activities and Best Practices
1. Accuracy of planned SDL activities All SDL activities are accurately identified.
2. Product risk profile Management understands the true cost of developing the product.
3. Accuracy of threat profile Mitigating steps and countermeasures are in place for the product
to be successful in its environment.
4. Coverage of relevant regulations,
certifications, and compliance
frameworks
All applicable legal and compliance aspects are covered.
5. Coverage of security objectives
needed for software
“Must have” security objectives are met.
Architecture (A2): SDL Activities
and Best Practices
1. Identification of business
requirements and risks
Mapping of business requirements and risks defined in terms of
CIA
2. Effective threat modeling Identifying threats for the software
3. Effective architectural threat analysis Analysis of threats to the software and probability of threat
materializing
4. Effective risk mitigation strategy Risk acceptance, tolerance, and mitigation plan per business
requirements
5. Accuracy of DFDs Data flow diagrams used during threat modeling
Design and Development (A3):
SDL Activities and Best Practices
1. Comprehensive security test plan Mapping types of security testing required at different stages of
SDLC
2. Effective threat modeling Identifying threats to the software
3. Design security analysis Analysis of threats to various software components
4. Privacy implementation assessment Effort required for implementation of privacy-related controls
based on assessment
5. Policy compliance review (updates) Updates for policy compliance as related to Phase 3