FINAL SECURITY REVIEW
A true SDL ensures security prior to product release.
A frequently misunderstood but critical phase of any effective SDL is the Final Security Review (FSR). FSRs are complex and through assessments of all SDL requirements as well as additional security requirements, often including penetration testing and fuzzing, that the security team requires. The process often includes examining threat models, tools outputs, and performance against the quality gates and bug bars defined during the requirement phases as well as performing penetration testing and fuzzing.
Prior to release to web or manufacturing, an assigned security advisor must sign off that the FSR is completed to their satisfaction. While many companies perform last minute testing to comply with an SDL checklist, a true FSR is well planned and includes ample time for remediation. Failure to sufficiently pass the FSR or be granted exceptions for known security vulnerabilities will result in failure to ship the product on time.
IOActive teams with our clients throughout the Final Security Review, performing through reviews as well as deep dive final testing. With a critical focus on ensuring security prior to release, we work hand in hand with security advisors to ensure issues are identified early and addressed swiftly.