The classic software development life cycle (SDLC) does not include a security analysis of the product being developed. As a result, security is not considered until the testing stage or after the release. This significantly increases the cost of detecting and eliminating vulnerabilities. To overcome the disadvantage, an extended version of SDLC called SSDLC has been developed.
The purpose of SSDLC is to supplement the software lifecycle stages with processes for detecting and eliminating vulnerabilities. This helps detect and resolve security issues long before the software is deployed. The following is a brief description of these changes for each stage.
In addition to the basic software development requirements, security requirements are also collected at this stage by analyzing potential threats. Here are a few examples of such requirements:
This stage includes the analysis of security risks and attack surfaces. A threat model is created based on the security requirements gathered at the previous stage.
The system design is based on the threat model developed at the previous stage.
At this stage, developers pay great attention to code quality in terms of security. To do so, they:
Note. The PVS-Studio static code analyzer detects not only common errors but also security vulnerabilities in code, serving as both an SCA solution and a SAST solution.
At this stage, additional types of testing are introduced, such as:
Deployment
A security assessment and software security audit are performed just before the deployment.
Even if you take a responsible approach to security at the previous stages, some vulnerabilities may escape your attention and make it into the release. Also, even after the release, previously unknown vulnerabilities may be discovered not only in your code but also in the code of your software dependencies. Such vulnerabilities are called "zero-day vulnerabilities". Therefore, it is necessary to continue monitoring and promptly eliminating new vulnerabilities throughout the entire support period of the software.
0