X-Frame-Options: DENY

product security Pre-Launch Checklist

Given an end-to-end solution, ensure the following are accounted for prior to Production release, or Go-Live.  Require the items listed below based on solution release applicability, risk, and testing process.  Use this list ongoing for subsequent releases and as development changes warrant.  This list will provide  good product release accountability of the most important areas of security validation activities that should be conducted through the SDLC, as applicable, for any new product or service solution.  A PDF template of this checklist is available for use to the side.

 
 Launch Checklist PDF

Launch Checklist PDF

Pre-Release Security Validation Checklist


  • Vendor security testing and delivery requirements specified in contracts
  • Vendor secure product development program attestation
  • End-to-end data security reviewed and validated
  • End-to-end data privacy reviewed and validated
  • Software design and architecture security reviewed and validated
  • Network design and architecture security reviewed and validated
  • Product/service security requirements reviewed and/or provided
  • All solution custom code tested for vulnerabilities with static code analysis
  • Solution authentication and session design and technology reviewed and validated
  • Functional user security configuration settings design reviewed and validated
  • Solution password creation, storage, and reset design reviewed and validated
  • API security reviewed and validated
  • Device provisioning design and architecture reviewed and validated
  • User provisioning design and architecture reviewed and validated
  • Software/firmware-update model design and architecture reviewed and validated
  • Device embedded system security controls reviewed and validated
  • Device vulnerability assessment conducted
  • Security patch levels of all third party and open source production software current
  • Product/service security features/functions testing conducted
  • Device final-firmware package scanned for vulnerabilities
  • Back-end network, systems, and operations security controls reviewed and validated
  • Back-end network and system services vulnerability assessment
  • Web services dynamic vulnerability assessment
  • Penetration testing of end-to-end solution
  • Solution cryptographic key stored and managed securely
  • Source code repository security and access management in place
  • All security findings sufficiently remediated and managed