The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary. [security_review]
This MAY be done by the project members and/or an independent evaluation. This evaluation MAY be supported by static and dynamic analysis tools, but there also must be human review to identify problems (particularly in design) that tools cannot detect.