The planning phase is the initial stage of the SDLC. In this stage, the development team gathers input from various stakeholders—including customers, sales, internal and external experts, and developers—to define the requirements of the desired software. Then the team determines what resources are needed to satisfy those requirements and calculates the cost of those resources. During this phase, the team describes not only what they want in the software but also what they don’t want. Doing this is especially important when planning an upgrade or replacement of existing software.
In the past, a common practice was to perform security-related activities during the testing phase. However, many organizations have found that security testing late results in unanticipated costs and development delays—the very issues that the SDLC was designed to fix.
It’s a better practice to integrate security activities from the planning stage across the software development life cycle to discover and eliminate vulnerabilities early and quickly. The concept of the secure software development life cycle (SSDLC) ensures that security assurance activities (e.g., penetration testing, code review, and architecture analysis) are an integral part of the cycle from planning through deployment.
A development team can set up an SSDLC by implementing security-related activities within the existing development process. Examples of activities include writing security requirements during the planning stage and performing an architecture risk analysis during the design phase.
Synopsys provides several software security initiative tools that are useful for the planning stage to ensure that both software quality and security are rock-solid:
After the planning phase comes the design phase. The primary objective of this phase is crafting a high-level design of the software build. In the design phase, the stakeholders, users, and developers consider the requirements and determine the scope of work of the system and software to be built. They review the technologies to be used, the capability of the team, and project constraints (e.g., time and budget) before selecting the best approach and creating an architectural design. This design lays out all the system components that need to be developed, communications with third-party services, user flows, database calls, and component behavior. The design is usually described in a design specification document (DSD).
Synopsys offers several services for the design stage to ensure both quality and security:
The implementation phase is also known as the “coding” phase. Developers implement the software design by writing the majority of code during this stage, which is often the longest phase of the SDLC.
Synopsys offers tools you can use during the implementation/coding stage to maintain the quality and security of your code:
Coverity Static Application Security Testing - Find security weaknesses and quality defects in your code as you're writing it.
Black Duck Software Composition Analysis - Secure and manage open source used in your code from development to deployment.
The verification stage is the next phase of the SDLC after the coding stage produces an operable product. During the verification phase (also known as the “testing” phase), the testing team evaluates the products of the development phase to assess whether they meet specified requirements.
The testers perform functional testing (such as unit testing, integration testing, system testing, and acceptance testing), as well as nonfunctional testing. If they identify a defect, they inform the developers. If the defect is valid, developers resolve it and create a new version of the software. Each new version of the software triggers repeated testing during this stage. The cycle continues until the development team has mitigated all discovered defects and the software is ready for deployment into the production environment.
You can use several tools and services to ensure software quality and security during the verification stage:
The release stage, also known as “deployment,” involves releasing the completed software into the production environment and performing post-production activities, such as monitoring. Additional testing occurs in the production environment. Final deployment takes place once all bugs are discovered and resolved.