AppSec Knowledge Base

SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)

What is a Software Development Lifecycle?

SDLCs are a series of steps that govern the process of creating and maintaining software.

SDLC Defined:

SDLC stands for software development lifecycle. A software development lifecycle is essentially a series of steps, or phases, that provide a framework for developing software and managing it through its entire lifecycle. Although there's no specific technique or single way to develop applications and software components, there are established methodologies that organizations use and models they follow to address different challenges and goals. These methodologies and models typically revolve around a standard, such as ISO/IEC 12207, which establishes guidelines for the development, acquisition, and configuration of software systems.

Software Development Methodologies

The most frequently used software development models include:

Waterfall Development ProcessWaterfall: This technique applies a traditional approach to software development. Groups across different disciplines and units complete an entire phase of the project before moving on to the next step or the next phase. As a result, business results are delivered at a single stage rather than in an iterative framework.

Agile Development ProcessAgile: Adaptive planning, evolutionary development, fast delivery, continuous improvement, and a highly rapid and flexible response to external factors are all key components of an Agile approach. Developers rely on a highly collaborative, cross-functional framework — with a clear set of principles and objectives — to speed development processes.

Lean Software DevelopmentLean Software Development (LSD): This methodology relies on techniques and practices used within a lean manufacturing environment to establish a more efficient and fast development culture. These techniques and practices include eliminating waste, amplifying learning, making decisions as late in the process as possible, delivering fast, empowering a team, embracing integrity, and viewing development as broadly as possible.

DevOps Software DevelopmentDevOps: This technique combines "development" and "operations" functions in order to build a framework focused on collaboration and communication. It aims to automate processes and introduce an environment focused on continuous development. Learn how Veracode enables DevOps.

Iterative Software DevelopmentIterative Development: As the name implies, iterative software development focuses on an incremental approach to coding. The approach revolves around shorter development cycles that typically tackle smaller pieces of development. It also incorporates repeated cycles: an initialization step, an iteration step, and a project control list. Iterative development is typically used for large projects.

Spiral Software DevelopmentSpiral Development: This framework incorporates different models, based on what works best in a given development process or situation. As a result, it may rely on waterfall, Agile, or DevOps for different components or for different projects that fit under the same software development initiative. Spiral uses a risk-based analysis approach to identify the best choice for a given situation.

V Model Software DevelopmentV-Model Development: The approach is considered an extension of waterfall development methodologies. It revolves around testing methods and uses a V-shaped model that focuses on verification and validation.

 

How Veracode Products Fit Into the SDLC



View the Interactive Infographic

Phases of the SDLC Process

A sound SDLC strategy delivers higher-quality software, fewer vulnerabilities, and reduced time and resources. It not only aids in developing and maintaining software, it delivers benefits when the times comes to decommission code. Veracode makes it possible to integrate automated security testing into the SDLC process. Here's how you can tackle the task effectively:

Step 1: Plan

The first step in any initiative is to map out a planning process. During this phase, an organization must identify the release theme, contents, and timeline. This typically includes activities such as collecting end-user requirements, determining user stories to include in the release, and planning release phases and dates.

Key considerations at this phase include:

  • Ensuring an application meets business requirements.
  • Engaging in threat modeling/secure design.
  • The choice of language and libraries to use in the development process.
  • Mapping test cases to business and functional requirements.

Tools You Can Use

Veracode eLearning: This service includes courses on Secure Architecture & Design and Threat Modeling.

Did You Know?

64% of defects originate in the requirement phase.[1]

Step 2: Code and Build

This phase includes the actual engineering and writing of the application — while attempting to meet all of the requirements established during the planning phase.

Key considerations at this phase include:

  • Training developers on secure coding.
  • Finding and fixing defects and security vulnerabilities in code, while writing it.
  • Using open-source components in a secure way.
  • Reducing unproductive time that developers spend waiting for test results.

Tools You Can Use

Veracode Greenlight: Find security defects in your code and view contextual remediation advice to help you fix issues in seconds, right in your IDE.

Veracode Developer Sandbox: Individual developers or development teams assess new code against the required security policy — without affecting compliance reporting for the version of the application currently in production and before committing code to the master branch.

Did You Know?

80% of Dev and QA teams experience delays due to dependencies.[2]

Developers who receive eLearning fix 20% more flaws.

Developing and building continuously helps teams release apps up to 20x faster.[3]

Step 3: Test

During this phase, the team tests code against the requirements to make sure the product is addressing them and performs as expected. This phase includes conducting all types of performance, QA, and functional testing, in addition to non-functional testing, such as UX testing. While testing has traditionally taken place after the development phase, organizations embracing a best-practice approach are moving to continuous automated testing throughout the SDLC.

Key considerations at this phase include:

  • Testing the application against security policy using several testing methods, including static, dynamic, software composition analysis, and manual penetration testing.
  • Conducting a comprehensive array of performance, functional, unit, and integration testing using the same language and protocols of systems being tested.

Tools You Can Use

Veracode Static Analysis: Upload a single packaged application to the Veracode Application Security Platform to kick off a scan and get a pass/fail result.

Did You Know?

A 2017 study conducted by Freeform Dynamics and CA Technologies found that 49% of IT and testing professionals believe continuous testing is important for meeting evolving business needs and expectations.

Scanning frequently in a developer sandbox before checking completed code enables developers to fix 48% more flaws than conducting policy scans only.

Step 4: Stage

In the release phase, a team deploys the software onto production servers. This includes packaging, managing, and deploying multiple complex releases across various environments, including private data centers and clouds, as well as public cloud resources.

Key considerations at this phase include:

  • Tracking the progress of a release and its components.
  • Moving away from manual release processes to an automated process where releasing software is based on a business decision.
  • Adding security testing as part of the final quality checks.

Did You Know?


72% of advanced DevOps adopters fully use release automation tools, but shockingly, 83% of IT professionals say they still use spreadsheets as a primary way to handle releases.[4]

Step 5: Deploy and Monitor

During this phase, a product is in production and being used by customers. Monitoring the application's performance and user experience is critical to ongoing improvement. An organization establishes feedback loops to ensure operational data is made available to developers and testers.

Key considerations at this phase include:

  • Continuing to test and monitor applications in production.
  • Re-assessing applications for performance, security, and user experience as they’re updated or changed.

Tools You Can Use

Veracode Dynamic Analysis (Discovery plus Dynamic Testing): Find, secure, and monitor all of your web applications — not just the ones you know about.

Veracode Manual Penetration Testing: Pen testers conduct simulated attacks for complete assurance.

Did You Know?

80% of resolution time is spent identifying issues.[5]

Lower performers spend up to 22% of their time on excess rework.[6]

Benefits of Establishing a Robust Software Development Process

Today's increasingly complex software development environment requires elegant and comprehensive solutions. Developers must juggle numerous tools and technologies while producing code that performs at the level of digital business. Teams must address an array of issues, including coding to APIs, mobile, and cloud environments. Too many tools lack the flexibility required for developers and many also come with a steep learning curve.

It's essential to adopt tools that detect application security vulnerabilities and integrate risk data and metrics in an automated fashion. Organizations that introduce an integrated approach to security and build protection into their SDLC are able to reduce risk, trim costs, and speed development. They’re able to develop new applications and continuously update existing software without sacrificing security. The Veracode platform offers a full set of tools, and APIs, to ensure that an organization is achieving the best possible level of protection.

Embedding Security Testing into Your SDLC

An effective AppSec initiative is one that incorporates key protection strategies into an SDLC approach. These include:

Unit Testing

All security-sensitive code should have a corresponding test suite which verifies that every outcome of every security decision works properly. While this approach requires a good deal of effort, it greatly improves the odds of catching vulnerabilities before they emerge as actual breaches. An effective program recognizes a few things: No change in coding is too minor to ignore, any vulnerability can lead to a catastrophic failure, and it's critical to always run the entire test suite before moving any software into production. What's more, unit testing must be coordinated, and third-party vulnerabilities and risks must be addressed, as well.

Black Box Testing

This approach, also known as dynamic analysis security testing (DAST), is a critical component for application security — and it’s an integral part of a SDLC framework. The technology looks for vulnerabilities that an attacker could exploit when an application is running in production. It runs in real-time and accomplishes the task without actual access to code and with no understanding of the underlying structure of the application. Simply put: It displays vulnerabilities — including input/output validation problems, server configuration mistakes or errors, and other application-specific problems — as an attacker would see them. Veracode's DAST solution offers comprehensive scanning of applications from inception through production. The black box analysis searches inside debug code, directories, leftover source code, and resource files to find SQL strings, ODBC connectors, hidden passwords or usernames, and other sensitive information that malicious individuals could use to hack an application.

White Box Testing

The ability to find and fix coding vulnerabilities promptly is nothing less than critical. Veracode's white box test solution uses static analysis to spot common flaws without actually executing the software. In fact, the solution analyzes all code — including third-party components and libraries across all major frameworks — to ensure the highest level of protection. The white box testing tool scales quickly to address aggressive deadlines, and it’s designed to fit into a software development lifecycle easily and seamlessly, while aiding in compliance requirements.

 

Veracode Software Security Testing



Learn more about Veracode's world-class platform of software security testing products.

View Products

As the digital age matures and as software code becomes part of every product, service, and business process, it's clear that there's a strong need for a comprehensive and holistic approach to application security. A business and security framework that revolves around a software development lifecycle is all about dollars and sense.


[1] Hyderabad Business School, GITAM University, Quality Flaws: Issues and Challenges in Software Development, 2012.

[2] Voke Research, Market Snapshot Report: Service Virtualization, January 21, 2015.

[3] Forrester Research, The Total Economic Impact of CA Release Automation, December 2015.

[4] CA Technologies DevOps Research, Prepared by SpiceWorks, February 2017.

[5] Forrester Research, The Total Economic Impact of CA Release Automation, December 2015.

[6] DORA and Pullet Labs, 2017 State of DevOps Report

 

 

 

contact menu