SDLC (7 Phases) - CBK Based
SDLC Defines the Software Phases
1. Project Initiation and Planning
Security must be introduced in this phase (Remember - Security needs to be baked in not bolted on)
Security activities should be done in project initiation activities..
The deliverable document must include the outline of the project objective, scope, strategies, cost, schedule etc.
Security Training for Developer must be planned in this Phase
Identification of Legal, Compliance requirement
Assess the Privacy and business impact must be assessed in this phase
2. Functional Requirement Gathering
Security Functional Requirement must be documented in this phase
Privacy Impact Assessment (PIA) must be done in this phase
Security requirement must be formalized
3 System Design Specifications
Design the entire application including Data Flow, Data Input, Data Output
Threat Modeling is performed in this phase like STRIDE, PASTA etc
4 Development and Implementation
Adapt the Security Coding Standards for bring the uniformity across the code.
Unit,Integration and System testing
Code Analysis for Common Vulnerabilities (SAST - Static Code Analysis)
Test with Known good data (never use production data).
Bound Checking is conducted to prevent the buffer overflow
7 Transition to Produce
Certification - Technical Evaluation of the product
Accreditation - Management acceptance of the product
Testing, acceptance and Transition into production in Phase 7
SLC has 9 Phases (7+2)
8 Maintenance and Use
Revision and System Replacement
Change Management Process should be followed and recorded in making any change in SDLC/SLC Process. In absense of change management process it's difficult to establish the accountability.
9 Decomissioning and Disposal
Leave a Reply.