From the course: Complete Guide to Application Security

Security in the software development lifecycle (SDLC)

From the course: Complete Guide to Application Security

Start my 1-month free trial Buy for my team

Security in the software development lifecycle (SDLC)

- Alright, let's talk about how applications actually come to life. It's not like they magically appear overnight. There's no application stork, no basket of apps delivered to your organization's doorstep. Instead, we have teams of talented people following a structured process with distinct stages. This process is what we call the Software Development Lifecycle, or SDLC for short. While SDLCs can vary from one organization to the next, they generally follow a similar pattern. They move from the requirements gathering and analysis stage onto design, then to the develop and build stage before testing and ultimately release. In this model, the whole process starts with requirements gathering and analysis. This is where we figure out what the application is supposed to do and why we're building it in the first place. We need to understand the user needs and the business objectives. And one of the best ways to do this is by talking to people. A requirements gathering form might be a great start, but ongoing conversations about the design will help fill in the gaps that you might have and ensure that you and your internal customer are on the same page. Once we've got a solid understanding of what the application is supposed to do, we're ready to move on to the design stage. Now we start creating a blueprint for the application. We translate the input from the previous stage into the technical features and functionality needed to meet those requirements. But here's the key with DevSecOps, we perform this design with security in mind from the very beginning. We consider potential threats in how to build in controls to proactively counter those threats. And by the way, if you want to dive deep into threat modeling, check out Adam Shostack's courses here on LinkedIn. They're fantastic. And once the design is at least somewhat coherent, the team rolls up their collective sleeves and we start tackling the develop and build stage. This is where the code gets written, where the developers and engineers take that design and bring it to life. And in a DevSecOps world, we're not just coding for functionality, we're using secure coding practices to prevent vulnerabilities. Once we have a working version of our application, it's time to put the app through its paces. We're ready for the testing stage. We run a battery of tests to make sure that everything's working is expected. This includes functional testing or use cases, but it also includes security testing or misuse cases. We look for vulnerabilities and weaknesses using a variety of tools and techniques. We want to catch and fix any security issues before they reach the end users. With our testing complete, we're finally ready for the big moment, the release. The app is ready to be shared with the world, or at least with its intended users. So we deploy it to production, we announce our release, and then we let end users begin interacting with the application. But the journey doesn't end there. Applications have a life cycle. Things change over time. New business requirements come up and we need to add new features to address those requirements. We'll also need to fix bugs, both functional bugs and security bugs. This means ongoing maintenance and updates. And with each change, we need to consider the security implications of that change and we need to integrate security testing into the process. Any application change, security driven or otherwise can impact the user experience. Balancing functionality and security can be tricky, but this is where DevSecOps really shines. By building security into the entire lifecycle and not just at the beginning, we're more likely to reduce the user impact while maintaining a healthy level of application security. Eventually the app might reach a point where it needs to be decommissioned, which is just a fancy way of saying the app is either being retired or replaced. But until then, it's all about continuous improvement and continuous security.

Contents