2/7/2018 What Is the Secure Software Development Life Cycle | Synopsys

SSDLC 101: What is the secure software development life cycle?

Posted by Ernest Mougoue on January 21, 2016

Most organizations have a well-oiled machine with the sole purpose to create, release, and maintain
functional software. However, the increasing concerns and business risks associated with insecure
software have brought increased attention to the need to integrate security into the development process.
Implementing a proper Secure Software Development Life Cycle (SDLC) is important now more than
ever.

Secure SDLC: What is it and why should I care?

A Software Development Life Cycle (SDLC) is a framework that defines the process used by
organizations to build an application from its inception to its decommission. Over the years, multiple
standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to
fit individual circumstances. It is however safe to say that in general, SDLCs include the following phases:
Planning and requirements
Architecture and design
Test planning
Coding
Testing and results
Release and maintenance
In the past, it was common practice to perform security-related activities only as part of testing. This after-
the-fact technique usually resulted in a high number of issues discovered too late (or not discovered at
all). It is a far better practice to integrate activities across the SDLC to help discover and reduce
vulnerabilities early, effectively building security in.
It is in this spirit that the concept of Secure SDLC arises. A Secure SDLC process ensures that security
assurance activities such as penetration testing, code review, and architecture analysis are an integral
part of the development effort. The primary advantages of pursuing an Secure SDLC approach are:
More secure software as security is a continuous concern
Awareness of security considerations by stakeholders
Early detection of flaws in the system
Cost reduction as a result of early detection and resolution of issues
Overall reduction of intrinsic business risks for the organization

How does it work?

Generally speaking, an Secure SDLC is set up by adding security-related activities to an existing
development process. For example, writing security requirements alongside the collection of functional
requirements, or performing an architecture risk analysis during the design phase of the SDLC.
Many Secure SDLC models have been proposed. Here are a few of them:
MS Security Development Lifecycle (MS SDL): One of the first of its kind, the MS SDL was
proposed by Microsoft in association with the phases of a classic SDLC.
NIST 800-64: Provides security considerations within the SDLC. Standards were developed by the
National Institute of Standards and Technology to be observed by US federal agencies.
OWASP CLASP (Comprehensive, Lightweight Application Security Process): Simple to implement
and based on the MS SDL. It also maps the security activities to roles in an organization.

How Do I Get Started?

If you are a developer or tester, there are definitely some actions that can be taken in your day-to-day
activities to improve the security posture of your organization, including:
Educate yourself and co-workers on the best secure coding practices and available frameworks for
security
Consider security when building/planning for test cases
https://www.synopsys.com/blogs/software-security/secure-sdlc/ 1/2
2/7/2018 What Is the Secure Software Development Life Cycle | Synopsys

Use code scanning tools such as SecureAssist, Coverity, and Appscan Source
However, management must be involved in devising a strategic approach for a more significant impact.
As a decision maker interested in implementing a complete SSDLC from scratch, here’s how to get
started:
Perform a gap analysis to determine what activities/policies currently exist in the organization and
their effectiveness.
Set up a Software Security Initiative (SSI) by establishing realistic and achievable goals with
defined metrics for success. Processes for security activities should be formalized during SSI
setup.
Invest in hiring and training of employeesas well as appropriate tools.
Use outside help as needed.

Are you thinking “I am way ahead of you, what’s next?”

Your organization already has an Secure SDLC implemented? Fantastic, well done!!! There is always
room for improvement. One way to determine your standing is by comparing it with how other
organizations built their security program and what activities they perform. The BSIMM (Building Security
In Maturity Model) can help with just that.

https://www.synopsys.com/blogs/software-security/secure-sdlc/ 2/2