Software Integrity Blog

Secure SDLC 101

Learn about the phases of a software development life cycle, plus how to build security in or take an existing SDLC to the next level: the secure SDLC.

Most organizations have a well-oiled machine with the sole purpose to create, release, and maintain functional software. However, the increasing concerns and business risks associated with insecure software have brought increased attention to the need to integrate security into the development process. Implementing a proper secure software development life cycle (SSDLC) is important now more than ever.

What is the secure SDLC and why should I care?

A software development life cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (waterfall, iterative, agile, etc.) and used in various ways to fit individual circumstances. It is, however, safe to say that in general, SDLCs include the following phases:

In the past, it was common practice to perform security-related activities only as part of testing. This after-the-fact technique usually resulted in a high number of issues discovered too late (or not discovered at all). It is a far better practice to integrate activities across the SDLC to help discover and reduce vulnerabilities early, effectively building security in.

It is in this spirit that the concept of the secure SDLC arises. A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. The primary advantages of pursuing a secure SDLC approach are:

How does a secure SDLC work?

Generally speaking, a secure SDLC is set up by adding security-related activities to an existing development process. For example, writing security requirements alongside the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC.

Many secure SDLC models have been proposed. Here are a couple of them:

How do I get started?

If you are a developer or tester, there are definitely some actions that can be taken in your day-to-day activities to move toward a secure SDLC and improve the security posture of your organization, including:

However, management must be involved in devising a strategic approach for a more significant impact. If you’re a decision-maker interested in implementing a complete SSDLC from scratch, here’s how to get started:

I’m way ahead of you. What’s next?

Your organization already has a secure SDLC implemented? Fantastic, well done! There is always room for improvement. One way to determine your standing is by evaluating your program based on how other organizations built their security program and what activities they perform. The BSIMM (Building Security In Maturity Model) can help with just that.