Secure Development Life Cycle
In this article, we will explore what is the System Development Life Cycle and how we can use the variant models that have been introduced throughout the last decades in order to develop several different kinds of computer systems.
Note
Like development methodologies, each organisation will have its own take on secure development.
Rather than give details of ay one implementation. This section aims to give an introduction to the concepts, behind SDLC.
Introduction to System Development Life Cycle
The System Development Life Cycle is a framework that was introduced in order to avoid the costly design and implementation mistakes regularly met in a developed system. It should be mentioned that this framework can also expedite the development process of a system as it proposes an iterative approach that consists of the following distinct stages:
-
Planning:
Provides a project management plan that works as the basis for acquiring the resources needed to develop the considered system.
-
Requirements/Analysis:
Specifies user requirements describing the detailed functioning of the intended system.
-
Design:
System features and operations are described in detail (i.e. system requirements) through the use of prototype models like process diagrams, pseudocodes, etc.
-
Development:
The system is constructed involving the actual programming process.
-
Testing:
Demonstrates that the system conforms to requirements by applying testing techniques.
-
Maintenance:
The system is assessed/evaluated to ensure it does not become obsolete. This is also where changes are made to initial system functioning.
Following the stages of the SDLC framework, we could develop of system that would possibly exhibit less operating and/or security flaws as this framework provides different approaches (i.e. models) that can be used for the implementation of different types of systems.
SDLC Models
SDLC has been incorporated into the usual software development life cycles:
- Waterfall model
- Iterative model
- Spiral model
- V-shape model
- Agile model
Its clear that the SDLC maps across nicely with the "Staged" version of the Waterfall, or iterative model, many publications by organisations like SANS focus on a more iterative approach.
Can Agile be Secure #AgileSecure
Its a big discussion point this week.
There has also been argument that rapid development models like agile or RAD are a poor fit for designing secure software. The with the inherent flexibility, and rapid nature of agile meaning that it not a good fit with the systematic approach required for security. SANS has a great article on Agile
Its a really interesting question, of how to balance a development process that works well, against the seemingly competing needs for security>
This week I want you to research, and discuss this point in your groups (and on the feed). Each group will also need to put together a 5 minute presentation, ready for the start of the Online lab session.
- Can Agile work with the SDLC ?
- What needs to be changed in the agile process, to build security.
Research the topic to help build your argument (for example the link above) and support your views.
Further Reading
Link to the PDF document