During the design and development, the solution is designed, prototyped and refined until a viable product has been released. Within this stage, the solution will be tested at different levels and should include security testing. This stage should consider the potential threats the system or service will face in life and provide prevention mechanisms.
- Security by Design principles should continue to be applied as the design is refined and evolves or matures.
- User Journeys and Use Cases that help to drive requirements and product features should include those that consider possible security attacks.
- These are then mapped to security requirements
- Components and sub-systems from 3rd party suppliers that are incorporated into the design should have undergone their own security assessment and testing prior to integration into the design
- Hardware components, including embedded software, can be a source of a security vulnerability. This could be as simple as exposed or unsealed hardware interfaces through to tampered firmware code.
- Open source software that is maintained by a community may mean that security testing has not been performed and / or there is no long-term support e.g. for security patches
- Testing the solution against those security requirements should be conducted as part of the standard process to ensure any vulnerabilities are identified and risks mitigated as part of this stage.