Release Tags:
tc:approved-release
stable:follows-policy
assert:supports-upgrade
assert:supports-accessible-upgrade
assert:supports-rolling-upgrade
assert:follows-standard-deprecation
There are 3 fields in a numbered release tag: 0.1.1, where first follows even numbers for stable release, odd numbers for development release for big changes; second follows even numbers for stable release, odd numbers for development release for small updates; third field follows by non-negative numbers for each patch version.
| Phases | Requirements | Release 1 Feature Project | Release 1 Integration Project | |
|---|---|---|---|---|
| Requirements | Determine if the project is subject to SDL policy | X | X | |
| Identify security advisor and security champion | X | |||
| Define security bug bar | X | X | ||
| Bug tracking tool must have Security Bug Effect field and Security Bug Cause field | X | X | ||
| Security and privacy risk assessment | X | X | ||
| Write Security plan document | ||||
| Design | Security design review | XX | ||
| Threat modeling | X | X | ||
| Follow cryptograph requirements | X | X | ||
| Write security architecture document | ||||
| Minimize default attack surface | ||||
| Enable least privilege | X | X | ||
| Default secure | X | X | ||
| Consider a defense-in-depth approach | ||||
| Examine past vulnerabilities in previous version of the project | ||||
| Deprecate outdated functionality | ||||
| Conduct a security review of source code | ||||
| Ensure appropriate logging | X | X | ||
| Hardware security design review | ||||
| Enforce strong log-out and session management | ||||
| Follow NEAT security user experience guidance | ||||
| Improve security-related prompts | ||||
| Implementation | Establish and follow best practices | X | X | |
| Run static analysis tool | X | X | ||
| Validation | Dynamic analysis | X | ||
| Fuzz testing (File parsing, RPC, network) | X | X | ||
| Kernel-model driver test | X | X | ||
| Risk and attack surface review | ||||
| Cross-site scripting testing | X | X | ||
| Penetration test | ||||
| Binary analysis | ||||
| Vulnerability regression test | ||||
| Data flow test | ||||
| Reply test | ||||
| Input validation test (Symbolic Execution) | ||||
| Privacy Model Checking (Information Flow Self-Composite Verification) | ||||
| Secure code review | ||||
| Security push | ||||
| Release | Incident and response plan | X | X | |
| Review and update the privacy companion form | X | X | ||
| Complete the privacy disclosure | X | X | ||
| Final security and privacy review | XX | |||
| Patch deployment tools | X | X | ||
| Release note with security disclosure | X | X |