Which practice in the Ship (A5) phase of the security development cycle verifies if the product meets security mandates?

In the Ship (A5) phase of the security development cycle, the focus is on ensuring that the software product is compliant with established security standards and policies before it is released. A policy compliance analysis specifically reviews whether the product adheres to specified security mandates and guidelines put in place by organizations, regulatory bodies, or industry standards.

This practice involves a comprehensive examination of the software to verify its alignment with requirements related to security, privacy, and operational integrity. By performing a thorough compliance analysis, organizations can identify any gaps or areas where the software may not meet necessary standards, thereby ensuring a secure product is being released to end-users.

In contrast, open-source licensing review pertains to legal compliance related to the use of open-source components, which does not directly evaluate security adherence. Code-assisted penetration testing, while helpful in identifying vulnerabilities, focuses primarily on discovering security flaws rather than compliance with security mandates. A final security review, though it checks overall security readiness, may not specifically assess compliance in the same systematic way as a dedicated policy compliance analysis would.