Waterfall presents the oldest, simplest, and most structured SDLC methodology. Each phase depends on the outcome of the previous phase and runs sequentially.
Advantages of the Waterfall Methodology. This model provides discipline and gives a tangible output at the end of each phase. Once the scope is defined, establishing and managing a timeline is straightforward.
Disadvantages of the Waterfall Methodology. This model doesn’t work well when flexibility is a requirement. There is little room for change once a phase is deemed complete. Changes made in the scope can impact cost, time, and quality of the software. Additionally, if tasks aren’t carried out properly in each stage, or if new tasks require attention at a later stage, the entire project has a severe impact.
The Agile model is widely considered to be a realistic approach for development. It is an interactive approach in which the various phases operate in parallel. Most notably, Agile provides a working product quickly by breaking the product into cycles.
Advantages of the Agile Methodology. The Agile model emphasizes interaction as customers, developers, and testers coordinate throughout the project. Due to the model’s interactive nature, changes are easily brought into the process. It’s a transparent approach for tracing progress. Additionally, each iteration provides helpful feedback on the product.
Disadvantages of the Agile Methodology. Clear and thorough foundational requirements about product direction are critical. If the foundational requirements change often, planning becomes complicated and the project can go awry. Team members must be highly cross-skilled since core teams are often small. Team members must also be up-skilled on the chosen Agile framework.
Other SDLC models include the V-shaped model, the iterative model, and the spiral model. These are variations of the Waterfall and Agile models with similar advantages and disadvantages.
In the past, the common practice was to perform security-related activities only during testing. This after-the-fact technique often results in a high number of issues discovered too late (or not at all). It’s a far better practice to integrate activities across the SDLC. This helps discover and reduce vulnerabilities early—effectively building security in.
It is in this spirit that the concept of the Secure Software Development Life Cycle (SSDLC) arises. The SSDLC process ensures that security assurance activities (e.g., penetration testing, code review, and architecture analysis) are an integral part of the development effort.
Generally speaking, the SSDLC is set up by implementing security-related activities within an existing development process. Examples include writing security requirements in coordination with the collection of functional requirements, or performing an architecture risk analysis during the design phase of the SDLC.
There are multiple SSDLC models in existence. Examples include: