logo
stripes

Product Development Phase

In the Product Development Phase, the abstract goals and claims defined during the Concept Phase are translated into concrete cybersecurity requirements. These requirements guide design, implementation, and verification, ensuring that cybersecurity is built into the product from the start.

Objectives

  • Derive cybersecurity requirements from goals and claims.
  • Integrate security into system and component design.
  • Plan and perform verification and validation activities.
  • Ensure traceability between risks, goals, requirements, and tests.
  • Produce work products that demonstrate compliance.

Requirements Engineering

Requirements must be specific, measurable, and linked back to the risks identified in the TARA. They are allocated to systems, subsystems, and components and refined as design decisions are made.

  • System-level requirements: e.g., secure communication protocols, intrusion detection mechanisms.
  • Component-level requirements: e.g., secure boot, firmware authenticity checks, memory protection.
  • Process requirements: e.g., secure coding practices, vulnerability analysis.

Design and Implementation

Security-by-design principles are applied during system and component design:

  • Apply least privilege and secure defaults.
  • Implement defense-in-depth using multiple layers of protection.
  • Use secure update and diagnostics mechanisms.
  • Design for resilience and fail-safe behavior in case of compromise.

Verification and Validation

Verification ensures that requirements are implemented correctly, while validation confirms that goals and claims are satisfied. Evidence is gathered through:

  • Code and design reviews.
  • Static and dynamic analysis.
  • Penetration testing and vulnerability scanning.
  • Functional and robustness testing.

Traceability

A key principle in ISO/SAE 21434 is maintaining traceability across lifecycle artifacts:

  • Risks identified in TARA → mapped to cybersecurity goals.
  • Goals → mapped to requirements at different levels.
  • Requirements → linked to design elements and test cases.
  • Verification results → provide evidence that requirements are satisfied.

Outputs of the Product Development Phase

  • Cybersecurity requirements specification.
  • System and component designs with integrated security.
  • Verification and validation reports.
  • Traceability matrices linking risks → goals → requirements → tests.
  • Work products required for audits and type approval.
Disclaimer: This page summarizes the Product Development Phase as defined in ISO/SAE 21434. For detailed processes, criteria, and normative requirements, please consult the official ISO/SAE 21434:2021 standard.