Our website uses cookies to enhance your browsing experience.
Accept
to the top
>
>
>
Secure Software Development Lifecycle (…

Secure Software Development Lifecycle (SSDLC)

Mar 20 2024

The classic software development life cycle (SDLC) does not include a security analysis of the product being developed. As a result, security is not considered until the testing stage or after the release. This significantly increases the cost of detecting and eliminating vulnerabilities. To overcome the disadvantage, an extended version of SDLC called SSDLC has been developed.

Stages of SSDLC

The purpose of SSDLC is to supplement the software lifecycle stages with processes for detecting and eliminating vulnerabilities. This helps detect and resolve security issues long before the software is deployed. The following is a brief description of these changes for each stage.

Collecting and analyzing requirements

In addition to the basic software development requirements, security requirements are also collected at this stage by analyzing potential threats. Here are a few examples of such requirements:

  • providing identification and authentication;
  • ensuring protection against unauthorized access;
  • establishing a process for logging events and errors;
  • ensuring quality control of data entering the system.

Risk analysis and planning

This stage includes the analysis of security risks and attack surfaces. A threat model is created based on the security requirements gathered at the previous stage.

Design/Prototyping

The system design is based on the threat model developed at the previous stage.

Development

At this stage, developers pay great attention to code quality in terms of security. To do so, they:

  • check software vulnerability lists such as CWE and OWASP Top 10;
  • use static application security testing (SAST) solutions;
  • analyze dependencies for vulnerabilities using software composition analysis (SCA) tools;
  • perform additional code reviews to detect missed security weaknesses, etc.

Note. The PVS-Studio static code analyzer detects not only common errors but also security vulnerabilities in code, serving as both an SCA solution and a SAST solution.

Testing

At this stage, additional types of testing are introduced, such as:

  • penetration testing;
  • testing by simulated hacker attacks;
  • fault tolerance testing (fuzz testing is the practice of entering random or obviously false data to cause a system to fail).

Deployment

A security assessment and software security audit are performed just before the deployment.

Maintenance

Even if you take a responsible approach to security at the previous stages, some vulnerabilities may escape your attention and make it into the release. Also, even after the release, previously unknown vulnerabilities may be discovered not only in your code but also in the code of your software dependencies. Such vulnerabilities are called "zero-day vulnerabilities". Therefore, it is necessary to continue monitoring and promptly eliminating new vulnerabilities throughout the entire support period of the software.

Popular related articles


Comments (0)

Next comments next comments
close comment form
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam