upgrade
Fiveable

๐Ÿ”’Cybersecurity for Business Unit 8 Review

QR code for Cybersecurity for Business practice questions

8.1 Secure Software Development Lifecycle (SDLC)

๐Ÿ”’Cybersecurity for Business
Unit 8 Review

8.1 Secure Software Development Lifecycle (SDLC)

Written by the Fiveable Content Team โ€ข Last updated September 2025
Written by the Fiveable Content Team โ€ข Last updated September 2025
๐Ÿ”’Cybersecurity for Business
Unit & Topic Study Guides
8.1 Secure Software Development Lifecycle (SDLC)
8.2 Common Application Vulnerabilities and Mitigation
8.3 Web Application Security
8.4 Mobile Application Security

Secure Software Development Lifecycle (SDLC) is a crucial approach to building robust, secure software. It integrates security practices into every phase of development, from planning to maintenance, ensuring vulnerabilities are caught and addressed early.

By following SDLC principles, developers can proactively identify and mitigate security risks. This approach includes threat modeling, secure coding practices, and comprehensive testing, ultimately leading to more resilient software that can withstand potential attacks.

Secure Software Development Lifecycle (SDLC)

Phases of secure SDLC

  • Planning and Requirements
    • Define security requirements and objectives establishes a clear foundation for building secure software from the start
    • Identify compliance and regulatory requirements ensures the software adheres to industry standards and legal obligations (GDPR, HIPAA)
    • Establish security metrics and key performance indicators (KPIs) enables measuring and tracking the effectiveness of security measures throughout the SDLC
  • Design
    • Perform threat modeling to identify potential security risks proactively identifies vulnerabilities and attack vectors early in the design phase (STRIDE, DREAD)
    • Develop secure architecture and design patterns incorporates security best practices into the software's structure and components (least privilege, defense-in-depth)
    • Define security controls and countermeasures specifies the mechanisms to prevent, detect, and respond to security threats (authentication, encryption)
  • Implementation
    • Follow secure coding practices and guidelines reduces the likelihood of introducing vulnerabilities during the coding process (OWASP Top 10, SANS Top 25)
    • Perform code reviews to identify and fix vulnerabilities catches security issues before they propagate to later stages of the SDLC
    • Conduct unit testing and integration testing verifies the functionality and security of individual components and their interactions
  • Testing
    • Perform security testing validates the effectiveness of security controls and identifies any remaining vulnerabilities
      1. Penetration testing simulates real-world attacks to uncover weaknesses
      2. Vulnerability scanning automatically detects known security flaws
    • Conduct risk assessments and security audits evaluates the overall security posture of the software and identifies areas for improvement
    • Validate security requirements and controls ensures that the implemented security measures align with the defined objectives and standards
  • Deployment
    • Harden the production environment applies security configurations and settings to minimize the attack surface (disabling unnecessary services, applying security patches)
    • Implement secure configuration management ensures consistent and controlled deployment of the software across different environments
    • Perform post-deployment security testing verifies that the deployed software remains secure in the production environment
  • Maintenance and Monitoring
    • Regularly apply security patches and updates addresses newly discovered vulnerabilities and keeps the software up to date with the latest security fixes
    • Monitor for security incidents and breaches enables prompt detection and response to security events (SIEM tools, intrusion detection systems)
    • Conduct periodic security assessments and audits regularly evaluates the software's security posture and identifies areas for continuous improvement

Security integration in SDLC

  • Planning and Requirements
    • Involve security team in requirement gathering ensures that security considerations are incorporated from the beginning
    • Prioritize security requirements based on risk assessment focuses efforts on the most critical security aspects based on the potential impact and likelihood of threats
    • Define security acceptance criteria establishes clear benchmarks for determining whether the software meets the required security standards
  • Design
    • Use secure design principles incorporates fundamental security concepts into the software architecture
      • Least privilege grants users and components only the minimum necessary permissions
      • Defense-in-depth employs multiple layers of security controls to provide comprehensive protection
    • Implement secure authentication and authorization mechanisms ensures that only authorized users can access sensitive data and functionality (multi-factor authentication, role-based access control)
    • Design for secure data handling and storage protects sensitive information throughout its lifecycle (encryption at rest and in transit, secure storage mechanisms)
  • Implementation
    • Use secure coding standards and libraries promotes consistent and secure coding practices across the development team (OWASP Secure Coding Practices)
    • Implement input validation and output encoding prevents common injection attacks by validating and sanitizing user input and properly encoding output
    • Avoid common coding vulnerabilities mitigates well-known security risks
      • SQL injection occurs when untrusted input is used to construct SQL queries
      • Cross-site scripting (XSS) allows attackers to inject malicious scripts into web pages
  • Testing
    • Develop comprehensive security test cases covers a wide range of potential attack scenarios and security requirements
    • Perform static code analysis and dynamic application security testing (DAST) automates the detection of security vulnerabilities in the source code and running application
    • Conduct manual code reviews and penetration testing leverages human expertise to identify complex security issues and simulate real-world attacks
  • Deployment
    • Implement secure deployment processes and procedures ensures that the software is deployed in a controlled and secure manner (secure file transfer, access controls)
    • Use secure communication protocols protects data in transit between the software and other systems
      • HTTPS encrypts web traffic using SSL/TLS
    • Configure security settings and harden the environment reduces the attack surface by applying secure configurations and disabling unnecessary features
  • Maintenance and Monitoring
    • Establish incident response and disaster recovery plans provides a structured approach to detecting, responding to, and recovering from security incidents
    • Implement security information and event management (SIEM) tools aggregates and analyzes security logs to identify potential threats and anomalies
    • Conduct regular security awareness training for developers and stakeholders promotes a culture of security and ensures that everyone understands their roles and responsibilities in maintaining the software's security

Threat modeling for risk identification

  • Threat modeling is a systematic approach to identify, quantify, and prioritize potential security threats
    • Helps understand the attack surface and potential entry points for attackers by analyzing the software architecture, data flows, and trust boundaries
  • Threat modeling techniques
    1. STRIDE
      • Spoofing: Impersonating a user or system to gain unauthorized access
      • Tampering: Modifying data or code without authorization
      • Repudiation: Denying actions or transactions to avoid accountability
      • Information Disclosure: Exposing sensitive data to unauthorized parties
      • Denial of Service: Disrupting the availability or performance of the system
      • Elevation of Privilege: Gaining higher-level permissions than intended
    2. DREAD
      • Damage: Assessing the potential impact of a successful attack
      • Reproducibility: Determining the ease of reproducing the attack
      • Exploitability: Evaluating the complexity of executing the attack
      • Affected Users: Considering the number of users impacted by the attack
      • Discoverability: Assessing the likelihood of discovering the vulnerability
    3. Attack trees and attack graphs
      • Represent the possible attack paths and scenarios visually
      • Help identify the steps an attacker might take to compromise the system
  • Threat modeling helps identify security controls and countermeasures to mitigate identified risks
    • Enables informed decision-making about prioritizing and implementing security measures based on the risk level and potential impact
  • Enables proactive security design and architecture decisions
    • Allows for the incorporation of security considerations early in the design phase, reducing the cost and effort of fixing vulnerabilities later in the SDLC

Secure coding and testing practices

  • Secure coding practices help prevent common vulnerabilities and weaknesses
    • Follow secure coding guidelines and standards
      • OWASP Top 10: Highlights the most critical web application security risks
      • SANS Top 25: Identifies the most widespread and dangerous software errors
    • Use secure coding libraries and frameworks that have been vetted for security and follow best practices (OWASP Enterprise Security API)
    • Implement input validation, output encoding, and parameterized queries to prevent injection attacks and ensure data integrity
  • Code reviews help identify and fix security issues early in the development process
    1. Conduct manual code reviews by experienced developers who can spot subtle security flaws and provide guidance on secure coding practices
    2. Use static code analysis tools to automatically detect vulnerabilities and coding errors (SonarQube, Checkmarx)
    3. Follow a well-defined code review process and checklist to ensure consistency and thoroughness in identifying security issues
  • Testing is crucial to validate the effectiveness of security controls and identify any remaining vulnerabilities
    • Develop comprehensive security test cases covering various attack scenarios and edge cases
    • Perform both white-box testing (with knowledge of the system's internals) and black-box testing (from an external perspective)
    • Conduct penetration testing to simulate real-world attacks and uncover weaknesses in the system's defenses
    • Automate security testing using tools and frameworks to improve efficiency and coverage (OWASP ZAP, Burp Suite)
  • Continuous testing and integration of security throughout the implementation phase
    • Helps catch and fix issues promptly, preventing them from propagating to later stages of the SDLC
    • Enables early feedback and iterative improvement of the software's security posture
    • Facilitates collaboration between development and security teams to address security concerns in a timely manner