Software Development Life Cycle (SDLC)

What are the phases of the software development life cycle?

Planning phase

The planning phase is the initial stage of the SDLC. In this stage, the development team gathers input from various stakeholders—including customers, sales, internal and external experts, and developers—to define the requirements of the desired software. Then the team determines what resources are needed to satisfy those requirements and calculates the cost of those resources. During this phase, the team describes not only what they want in the software but also what they don’t want. Doing this is especially important when planning an upgrade or replacement of existing software.

In the past, a common practice was to perform security-related activities during the testing phase. However, many organizations have found that security testing late results in unanticipated costs and development delays—the very issues that the SDLC was designed to fix.

It’s a better practice to integrate security activities from the planning stage across the software development life cycle to discover and eliminate vulnerabilities early and quickly. The concept of the secure software development life cycle (SSDLC) ensures that security assurance activities (e.g., penetration testing, code review, and architecture analysis) are an integral part of the cycle from planning through deployment.

A development team can set up an SSDLC by implementing security-related activities within the existing development process. Examples of activities include writing security requirements during the planning stage and performing an architecture risk analysis during the design phase.

Synopsys provides several software security initiative tools that are useful for the planning stage to ensure that both software quality and security are rock-solid: 

• Building Security In Maturity Model (BSIMM) - Measure your software security program against other security programs.
• Maturity Action Plan (MAP) - Get recommendations to improve your software security stance.
• Software Testing Optimization - Help your team prioritize and create the right level of security testing. 

Design phase

After the planning phase comes the design phase. The primary objective of this phase is crafting a high-level design of the software build. In the design phase, the stakeholders, users, and developers consider the requirements and determine the scope of work of the system and software to be built. They review the technologies to be used, the capability of the team, and project constraints (e.g., time and budget) before selecting the best approach and creating an architectural design. This design lays out all the system components that need to be developed, communications with third-party services, user flows, database calls, and component behavior. The design is usually described in a design specification document (DSD).

Synopsys offers several services for the design stage to ensure both quality and security:

• Architecture Risk Analysis - Ensure you have secure design practices in place.
• Threat Modeling - Explore how an attacker could exploit your design.
• Security Control Design Analysis - Inspect your software for missing or weak security controls. 

Implementation phase

The implementation phase is also known as the “coding” phase. Developers implement the software design by writing the majority of code during this stage, which is often the longest phase of the SDLC.

Synopsys offers tools you can use during the implementation/coding stage to maintain the quality and security of your code:

Coverity Static Application Security Testing - Find security weaknesses and quality defects in your code as you're writing it.

Black Duck Software Composition Analysis - Secure and manage open source used in your code from development to deployment. 

Verification stage

The verification stage is the next phase of the SDLC after the coding stage produces an operable product. During the verification phase (also known as the “testing” phase), the testing team evaluates the products of the development phase to assess whether they meet specified requirements.

The testers perform functional testing (such as unit testing, integration testing, system testing, and acceptance testing), as well as nonfunctional testing. If they identify a defect, they inform the developers. If the defect is valid, developers resolve it and create a new version of the software. Each new version of the software triggers repeated testing during this stage. The cycle continues until the development team has mitigated all discovered defects and the software is ready for deployment into the production environment.

Verification stage tools and services

You can use several tools and services to ensure software quality and security during the verification stage:

• Static application security testing (SAST) analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack.
• Software composition analysis (SCA) helps you manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.
• Interactive application security testing (IAST) uses dynamic testing (a.k.a. runtime testing) techniques to identify vulnerabilities in running web applications.
• Dynamic application security testing (DAST) Dynamic analysis evaluates an application while executing it to uncover issues with its runtime behavior.
• Fuzz testing. Fuzz testing is a black box process that tries to crash a running system by feeding it random data, enabling you to find and fix security weaknesses.
• Penetration testing. Penetration testing analysis helps you find and fix exploitable vulnerabilities in your server-side applications and APIs.

Release stage

The release stage, also known as “deployment,” involves releasing the completed software into the production environment and performing post-production activities, such as monitoring. Additional testing occurs in the production environment. Final deployment takes place once all bugs are discovered and resolved.

• Managed Dynamic Application Security Testing - If your team lacks the resources for effective DAST testing, Synopsys Managed DAST allows you to analyze web applications at any time without the cost or complexity of in-house DAST.
• Managed Penetration Testing - Synopsys Managed Penetration Testing uses multiple testing tools and in-depth manual tests focusing on business logic to find and try to exploit vulnerabilities in running web applications or web services. 

• Insider Threat Detection - Prevent malicious insiders from using innocuous code to sabotage your systems.
• Threat Modeling - Adopt the perspective of malicious hackers to identify the types of threat agents that could harm your system and see how much damage they could. 
• Red Teaming - Subject your system to a simulation of a real-life attack to measure your risk. 

SDLC Methodologies

Popular SDLC methodologies include agile, lean, waterfall, iterative, and spiral.

The agile methodology

The agile methodology produces ongoing release cycles, each featuring small, incremental changes from the previous release. At each iteration, the product is tested. The agile model helps teams identify and address small issues in projects before they evolve into more significant problems. Teams can also engage business stakeholders and get their feedback throughout the development process.

The lean methodology

The lean methodology for software development is inspired by lean manufacturing practices and principles. The lean principles encourage creating better flow in work processes and developing a continuous improvement culture. The seven lean principles are:

• Eliminate waste.
• Amplify learning.
• Make decisions as late as possible.
• Deliver as fast as possible.
• Empower your team.
• Build integrity in.
• Build holistically.

The waterfall methodology

Waterfall represents the oldest, simplest, and most structured methodology. Each phase depends on the outcome of the previous phase, and all phases run sequentially. The model provides discipline and gives a tangible output at the end of each phase. However, this model doesn’t work well when flexibility is a requirement. There is little room for change once a phase is deemed complete, as changes can affect the cost, delivery time, and quality of the software.

The iterative methodology

In the iterative process, each development cycle produces an incomplete but deployable version of the software. The first iteration implements a small set of the software requirements, and each subsequent version adds more requirements. The last iteration contains the complete requirement set.

The spiral methodology

In the spiral development model, the development process is driven by the unique risk patterns of a project. The development team evaluates the project and determines which elements of the other process models to incorporate. 

Where does DevOps fit in?

The process outlined by the SDLC centers on creating software, from planning to production deployment. But the process does not address how users engage with the software in production. This disconnect between software creation and software use drives the need for DevOps.

DevOps is a development culture that focuses on increasing collaboration between the team that creates and modifies software (development) and the team that oversees software use (operations). Thus, DevOps completes the software development life cycle by connecting post-production activities to earlier stages. This feedback loop allows development to be more responsive to customer needs.

The line between the SDLC and DevOps blurs with activities such as building and testing software. But generally, discussions about the software develpment life cycle refer to the earlier phases of the software development life cycle, such as requirements, design, and development, while “DevOps” refers to the communication of feedback during the later stages of deployment and post-production.