At this time we also develop the metrics criteria to be used for the duration of the project.
This phase starts with a review of the security requirements. We make sure the following sections are complete, unambiguous, and lacking any gaps in the requirement definitions.
During development, the security team will systematically perform code walkthroughs with the developers and architects in order to gain a high level of understanding of the code. Next, security and development teams perform code reviews together to look for security defects.
Once the code has been deployed, we begin configuration management testing and penetration testing – if applicable.
Just because the application is in production doesn’t mean the security testing is done. Operational reviews are scheduled for periodic checks on security risks and application health.