Congratulations, your product is complete! Release of the product as a CD or DVD or as a Web download requires completion of the Security Development Lifecycle (SDL) process for security and privacy as defined in this book.

Important

It is assumed that your company has a formal “sign off” process for releasing software to users. Such criteria often include the requirement that no bugs of a specific severity exist and that the software is in compliance with various legal requirements, such as the U.S. Rehabilitation Act Section 508 (Microsoft 2005).

To sign off on the software, the central security and privacy team must agree that the SDL has been followed satisfactorily. There really should be no surprises because the final security review (FSR) stage of the SDL should have uncovered any lingering issues. And, as we said in Chapter 14, there should be few if any surprises during the FSR process if the team has performed the appropriate SDL due diligence throughout the software’s development.

Finally, to better facilitate debugging security vulnerabilities reported to you, we strongly advise you to upload debugging symbols to a central, internal site that can be easily accessed by your engineers. Debuggers use symbols to turn addresses and numbers into human-readable function names and variable names. This debug symbol requirement applies to all publicly released binaries.

Now the hard work begins: maintaining software and handling security bugs. That’s next.