Software Development Life Cycle (SDLC)

What are the phases of the software development life cycle?

Planning phase

The planning phase is the initial stage of the SDLC. In this stage, the development team gathers input from various stakeholders—including customers, sales, internal and external experts, and developers—to define the requirements of the desired software. Then the team determines what resources are needed to satisfy those requirements and calculates the cost of those resources. During this phase, the team describes not only what they want in the software but also what they don’t want. Doing this is especially important when planning an upgrade or replacement of existing software.

In the past, a common practice was to perform security-related activities during the testing phase. However, many organizations have found that security testing late results in unanticipated costs and development delays—the very issues that the SDLC was designed to fix.

It’s a better practice to integrate security activities from the planning stage across the software development life cycle to discover and eliminate vulnerabilities early and quickly. The concept of the secure software development life cycle (SSDLC) ensures that security assurance activities (e.g., penetration testing, code review, and architecture analysis) are an integral part of the cycle from planning through deployment.

A development team can set up an SSDLC by implementing security-related activities within the existing development process. Examples of activities include writing security requirements during the planning stage and performing an architecture risk analysis during the design phase.

Synopsys provides several software security initiative tools that are useful for the planning stage to ensure that both software quality and security are rock-solid: 

• Building Security In Maturity Model (BSIMM) - Measure your software security program against other security programs.
• Maturity Action Plan (MAP) - Get recommendations to improve your software security stance.
• Software Testing Optimization - Help your team prioritize and create the right level of security testing. 

Design phase

After the planning phase comes the design phase. The primary objective of this phase is crafting a high-level design of the software build. In the design phase, the stakeholders, users, and developers consider the requirements and determine the scope of work of the system and software to be built. They review the technologies to be used, the capability of the team, and project constraints (e.g., time and budget) before selecting the best approach and creating an architectural design. This design lays out all the system components that need to be developed, communications with third-party services, user flows, database calls, and component behavior. The design is usually described in a design specification document (DSD).

Synopsys offers several services for the design stage to ensure both quality and security:

• Architecture Risk Analysis - Ensure you have secure design practices in place.
• Threat Modeling - Explore how an attacker could exploit your design.
• Security Control Design Analysis - Inspect your software for missing or weak security controls. 

Implementation phase

The implementation phase is also known as the “coding” phase. Developers implement the software design by writing the majority of code during this stage, which is often the longest phase of the SDLC.

Synopsys offers tools you can use during the implementation/coding stage to maintain the quality and security of your code:

Coverity Static Application Security Testing - Find security weaknesses and quality defects in your code as you're writing it.

Black Duck Software Composition Analysis - Secure and manage open source used in your code from development to deployment. 

Verification stage

The verification stage is the next phase of the SDLC after the coding stage produces an operable product. During the verification phase (also known as the “testing” phase), the testing team evaluates the products of the development phase to assess whether they meet specified requirements.

The testers perform functional testing (such as unit testing, integration testing, system testing, and acceptance testing), as well as nonfunctional testing. If they identify a defect, they inform the developers. If the defect is valid, developers resolve it and create a new version of the software. Each new version of the software triggers repeated testing during this stage. The cycle continues until the development team has mitigated all discovered defects and the software is ready for deployment into the production environment.

Verification stage tools and services

You can use several tools and services to ensure software quality and security during the verification stage:

• Static application security testing (SAST) analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack.
• Software composition analysis (SCA) helps you manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.
• Interactive application security testing (IAST) uses dynamic testing (a.k.a. runtime testing) techniques to identify vulnerabilities in running web applications.
• Dynamic application security testing (DAST) Dynamic analysis evaluates an application while executing it to uncover issues with its runtime behavior.
• Fuzz testing. Fuzz testing is a black box process that tries to crash a running system by feeding it random data, enabling you to find and fix security weaknesses.
• Penetration testing. Penetration testing analysis helps you find and fix exploitable vulnerabilities in your server-side applications and APIs.

Release stage

The release stage, also known as “deployment,” involves releasing the completed software into the production environment and performing post-production activities, such as monitoring. Additional testing occurs in the production environment. Final deployment takes place once all bugs are discovered and resolved.

• Managed Dynamic Application Security Testing - If your team lacks the resources for effective DAST testing, Synopsys Managed DAST allows you to analyze web applications at any time without the cost or complexity of in-house DAST.
• Managed Penetration Testing - Synopsys Managed Penetration Testing uses multiple testing tools and in-depth manual tests focusing on business logic to find and try to exploit vulnerabilities in running web applications or web services. 

• Insider Threat Detection - Prevent malicious insiders from using innocuous code to sabotage your systems.
• Threat Modeling - Adopt the perspective of malicious hackers to identify the types of threat agents that could harm your system and see how much damage they could. 
• Red Teaming - Subject your system to a simulation of a real-life attack to measure your risk.