Commercial off the Shelf Software

• End to End development and control of the software

CI + CD (Continuous Integration + Continuous Deployment)​
Threats in DevOps Model:

• Segregation of the Duties as Development and Operational works for the same platform.

Benefits of DevOps

• Speed
• Rapid Delivery
• Reliability
• Scale
• Improved Collobration

1. Initiation + Functional Requirement:

• The need is for a system is expressed and a system purpose and high-level requirements are documented.

2. Acquisition & Development

• Risk Assessment
• Initial Document for System Certification
• Functional and security Testing

3. Implementation/Assessment

• Plan and system testing activity

4. Operational/Maintenance

• System Performance Monitoring

5. Sunset (Disposal)

SDLC Defines the Software Phases
1. Project Initiation and Planning

• Security must be introduced in this phase (Remember - Security needs to be baked in not bolted on)
• Security activities should be done in project initiation activities..
• The deliverable document must include the outline of the project objective, scope, strategies, cost, schedule etc.
• Security Training for Developer must be planned in this Phase
• Identification of Legal, Compliance requirement 
• Assess the Privacy and business impact must be assessed in this phase

2. Functional Requirement Gathering

• Security Functional Requirement must be documented in this phase
• Privacy Impact Assessment (PIA) must be done in this phase
• Security requirement must be formalized

3 System Design Specifications

• Design the entire application including Data Flow, Data Input, Data Output
• Threat Modeling is performed in this phase like STRIDE, PASTA etc
• Secure Design

4 Development and Implementation

• Adapt the Security Coding Standards for bring the uniformity across the code.
• Unit,Integration and System testing
• Code Analysis for Common Vulnerabilities (SAST - Static Code Analysis)

5 Documentation
Security Documentation
6 Testing

• UAT Testing
• Certification Process
• Test with Known good data (never use production data). 
• Data Validation
• Bound Checking is conducted to prevent the buffer overflow

7 Transition to Produce 

• Certification - Technical Evaluation of the product
• Accreditation - Management acceptance of the product
• Testing, acceptance and Transition into production in Phase 7

SLC has 9 Phases (7+2)
8 Maintenance and Use

• ​Revision and System Replacement 
• Change Management Process should be followed and recorded in making any change in SDLC/SLC Process. In absense of change management process it's difficult to establish the accountability.

9 Decomissioning and Disposal