SDLC (7 Phases) - CBK Based

SDLC Defines the Software Phases
1. Project Initiation and Planning

• Security must be introduced in this phase (Remember - Security needs to be baked in not bolted on)
• Security activities should be done in project initiation activities..
• The deliverable document must include the outline of the project objective, scope, strategies, cost, schedule etc.
• Security Training for Developer must be planned in this Phase
• Identification of Legal, Compliance requirement 
• Assess the Privacy and business impact must be assessed in this phase

2. Functional Requirement Gathering

• Security Functional Requirement must be documented in this phase
• Privacy Impact Assessment (PIA) must be done in this phase
• Security requirement must be formalized

3 System Design Specifications

• Design the entire application including Data Flow, Data Input, Data Output
• Threat Modeling is performed in this phase like STRIDE, PASTA etc
• Secure Design

4 Development and Implementation

• Adapt the Security Coding Standards for bring the uniformity across the code.
• Unit,Integration and System testing
• Code Analysis for Common Vulnerabilities (SAST - Static Code Analysis)

5 Documentation
Security Documentation
6 Testing

• UAT Testing
• Certification Process
• Test with Known good data (never use production data). 
• Data Validation
• Bound Checking is conducted to prevent the buffer overflow

7 Transition to Produce 

• Certification - Technical Evaluation of the product
• Accreditation - Management acceptance of the product
• Testing, acceptance and Transition into production in Phase 7

SLC has 9 Phases (7+2)
8 Maintenance and Use

• ​Revision and System Replacement 
• Change Management Process should be followed and recorded in making any change in SDLC/SLC Process. In absense of change management process it's difficult to establish the accountability.

9 Decomissioning and Disposal