Software Development Life Cycle
The software development life cycle (SDLC) defines the steps needed to develop and maintain software through its usefulness. This process is initiated during the software design phase and focuses on quality development standards that result in timely and cost-effective delivery against requirements.
Security analysis and testing is an important component of the development cycle and should be considered through every step of the SDLC, which includes the following phases: analysis, requirements document, design and prototype, implementation (coding), testing and release, and maintenance.
While SDLCs historically were focused on satisfying functional requirements through software development processes, the increase in cyberattacks has resulted in adding the integration of security into each phase of the SDLC.
Collect and analyze requirements.
Create a solution and build a software framework for that solution.
Develop the code.
Test the code.
Deploy the software.
Maintain and update the software as necessary.
Add code to correct an unforeseen problem or for more functionality.
In practice, it may not be practical or feasible to work independently on each phase. It is possible, and sometimes required, to revisit previous steps based on changes to the functional requirements or the need for improvements. Therefore, other life cycle models have been built upon the traditional waterfall model’s framework. The waterfall model is extensively used in practice, particularly in the development of large enterprise software systems.
Software Development Life Cycle
Understanding the software development life cycle and its cybersecurity implications is important for the security professional. Most attacks affect software used for web browsers, Internet applications, databases, domain name systems (DNS), and web servers. In order to protect against these types of attacks, security must be “baked in” throughout the software development life cycle. This means that security is deeply considered during all phases of the SDLC. Bolting on security after a system has been implemented is unfeasible and proves prohibitively costly.
Most software development methodologies have common phases. Generally, the software development life cycle (SDLC) consists of the following ones: requirements document, design and prototype, implementation (coding), testing and release, and maintenance.
During the first phase, functional and performance requirements for the software system are gathered and formalized (Kissel et al., 2008). In order to create secure software, it is important to include security requirements in this phase.
Based on the security requirements, a set of modules and their interfaces evolve during the design phase. The design is then implemented through coding in one or more appropriate programming languages.
During the test phase, the implementation is tested to make sure it satisfies the requirements before the software is released for use by the customers (users). Traditionally, SDLCs are focused on developing the software system to meet the functional requirements of users.
The increasing number of attacks on software has heightened awareness of the need to develop secure software. Consequently, it has become standard practice to include processes incorporating security during the software development life cycle (SDLC). More recently, the SDLCs are being augmented to integrate security at each phase, adding protection to software. This is needed because when developers build security into each SDLC phase there is a greater chance it will be “baked-in” and future changes to the software will not introduce new security issues.
The major areas of security concern for the life cycle phases focus on access privileges and controls, recovery procedures, data access, authorization, and system administration. To combat poor software development practices, the OWASP Open Web Application Security Project (OWASP) identified the top 10 issues overlooked within the SDLC. They include invalidated input, poor access control, broken authentication and session management, cross-site scripting (XSS) flaws, buffer overflows, injection flaws, improper error handling, insecure storage, denial of Service (DoS), and insecure configuration management.
There’s also the Software Assurance Forum for Excellence in Code (SAFECode), a nonprofit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods.
Additionally, new software development life cycle frameworks are being introduced in order to enforce secure software creation. For example, the SecDLC framework includes a higher level of securing interactions within each phase of the web-based application development life cycle (Kalaimannan & John, 2016). The phases of the SecDLC include assessment, detection, protection, and response.