Product Security Governance
Software Security Flow Down
Phase
Description
Supporting Document(s)
Security Flow-Down Considerations
Requirements Specification
Defines in a complete, precise, and verifiable manner the requirements, design, behavior, or other expected characteristics of a system, service, or process.
Draft Statement of Work (SoW), Draft Requirements Description Document (RDD)
Capture explicit security requirements (e.g., authentication, data protection, compliance, logging).
Analysis
Examination of acquired data for its significance and probative value to the case.
SoW, Requirements Description Document (RDD), Draft Software Requirements Specification (SRS)
Validate security requirements against threat models, compliance standards, and risk assessments.
Design
Process to define the architecture, system elements, interfaces, and other characteristics of a system or system element.
Software Requirements Specification (SRS), Draft Software Design Document (SDD), Draft Software Development Plan (SDP)
Incorporate security architecture (secure data flows, access control, boundary protections, encryption strategy).
Implementation
Specific requirements or instructions for implementing software.
Draft Software Test Plan (STP), Software Design Document (SDD), Software Development Plan (SDP)
Apply secure coding standards, enforce code reviews, automate security scanning (SAST/DAST), protect dependencies.
Test
Determination of one or more characteristics of an object of conformity assessment, according to a procedure.
Software Test Plan (STP)
Perform penetration testing, vulnerability scanning, fuzz testing, and validate misuse cases.
Notes
Each phase builds on the previous one: Requirements → Analysis → Design → Implementation → Testing.
The Software Security Strategy flows down across all phases, ensuring traceability and consistent enforcement.
Supporting documents should be version-controlled within the repository for auditability and compliance.
Last updated