During the release stage, the application is deployed together with its different dependencies to production so that users can work with it. For instance, a TLS-enabled application may be deployed together with the OpenSSL 1.0.1 library.
Security activities in this stage determine whether an application’s dependencies contain known vulnerabilities (and presents ways to prevent these vulnerabilities or minimize their risk). For instance, it detects that an application uses OpenSSL 1.0.1 which is vulnerable to Heartbleed. Software composition analysis tools automate the discovery of these (vulnerable) dependencies.
After application deployment, testers should also perform a red team assessment. During this activity, testers model how a real-world adversary might attack a system. They also verify how well that system would hold up under attack by combining vulnerabilities that may seem small on their own, but when tied together in an attack path can cause severe damage. Just like real attackers, these testers do not only consider weaknesses of the application, but also weaknesses in the environment in which the application is deployed (e.g., network, firewalls, operating system), as well as weaknesses in operating procedures and people (e.g., role-based social engineering).
Education is a fundamental part of any secure software development life cycle (SSDLC). Every team member requires a baseline software security education to increase the awareness of the importance of security and to increase the knowledge of security engineering basics. Groups of engineers may receive advanced education to keep up-to-date with new threats.
The security activities outlined here are only a subset of the activities that different companies implement. You should create a software security roadmap that helps your firm define and build (or mature) a software security initiative (SSI).
Customizing your set of activities
Your plan should define a software security strategy as well as select the security activities that make sense for your organization. Initiatives exist to verify how your company stacks up against the rest of your industry peers. It is important that you show with measurements that your SSI improves the security posture of your applications.
Above all, remember that bringing security testing into the SDLC earlier lowers the cost to fix security defects.