A secure SDLC is a software development lifecycle that includes security at every stage of development from inception to retirement. The goal of a Secure SDLC is to produce a secure system by incorporating security throughout the entire development process instead of adding it on as an afterthought.
What is Software Development Life Cycle ( SDLC )?
A software development life cycle (SDLC) is a framework defining tasks performed at each step in the software development process. SDLC is a process which consists of a series of planned activities to develop, maintain, and replace specific software.
The concept of a software development life cycle (SDLC) has been around for decades, and many different models for managing the process have been created. For example, Microsoft practices 12 SDLC that support security assurance and compliance requirements.
The main goal of an SDLC is to produce high-quality software that meets or exceeds customer expectations, is delivered on time and within budget. When followed correctly, an SDLC can help to ensure that software is developed efficiently and effectively.
There are many different models for SDLC, but they all generally include the same basic steps:
1: Planning and Requirements:
In this stage, the project team works with the customer to understand their needs and requirements. A project plan is created and includes a schedule and budget.
In the design stage, the system architecture and components are designed. This includes creating diagrams and flowcharts to visualize how the system will work.
3: Implementation or Coding:
This is the stage where the actual code is written.
Once the code has been written, it needs to be tested to ensure that it meets the requirements specified in the design phase and that there are no bugs.
Once the software has been tested and approved, it can be deployed. This usually involves installing it on servers or computers and making it available to users.
Even after a software system has been deployed, it will need to be maintained. This includes making sure that it continues to work as expected and making changes or upgrades as needed.
What is SSDLC and how is Security added to an SDLC?
The Secure SDLC overlaps the SDLC at every stage. While there is no one-size-fits-all answer as to how to secure the SDLC (it will vary depending on the particular organization and software development methodology being used), the common steps are outlined below:
1: Planning and requirements gathering:
This phase of the SSDLC is focused on understanding the security requirements for the software being developed, and ensuring that these requirements are incorporated into the overall project plan.
In this phase of the Secure SDLC, the software design is created, taking into account the security requirements that were identified in the previous phase. An architecture security review can be done at this stage.
The actual coding of the software takes place during this phase. Static code analysis can be done as early as there is code to review.
Once the software has been coded, it must be thoroughly tested to ensure that it meets the security requirements that were established in the earlier phases. This typically involves both static and dynamic testing.
The software is finally deployed to its intended environment, where it will be used by end users. Once it is in production, making sure security controls such as intrusion detection and prevention tools are running properly is important.
Even after the software has been deployed, it still needs to be maintained on an ongoing basis in order to ensure that its security posture remains effective.
How can you get started?
If you are developing or designing software, there are a number of things that you can do to get started:
- Get familiar with common security vulnerabilities (for example, Cross-Site Scripting xss ) and security best practices for the technology stack you are using
- Review the security of the architecture of your software product
- Audit your code for vulnerabilities with static code analysis
- Review your third party components and libraries for vulnerabilities
- Perform dynamic testing against your running product