System Development Life Cycle
The System Development Life Cycle (SDLC)is a waterfall linear model of a project. There are several other models which provide more flexibility and allow for change during the project life cycle. Reguardless of the model used, the basic functional stages of the System Development Life Cycle (SDLC) must be implemented to complete projects. Some stages will be repeated. This page examines the SDLC and what should be done during each phase.
System Development Life Cycle (SDLC) Phases
The system development life cycle includes several phases described below.
Project planning - A high level design is done and a business justification for the project is provided. Project goals are determined. A project model may be built and and a feasibility study is done to determine whether the project should go forward.
Requirements definition - Functional characteristics which meed the project goals for the desired system are defined. User needs are analyzed. The system functional specifications is developed. This is a list of system requirements and desired characteristics of the system which will specify system performance parameters. During this timeframe, the security requirements must be included.
Systems design - Detail is added to the functional design which includes how to make each function work. Flow charts are created, screen layouts are designed, and pseudocode is created along with other documentation. Threat modeling should be complete before the end of the design phase.
When designing the product and defining the project security goals, consider:
The type of users of the application.
Whether the users will need to have the application be secure or care.
Whether the users will store sensitive data.
Where users will use the product such as home or work and will it be on the internet or behind a firewall.
What needs to be protected.
Who manages the program or application.
How does the application communicate.
Implementation - This phase also known as the development phase is where the system is created in a test mode by the developers. Code reviews should be begun during this phase.
Testing and Integration - The system is tested and errors are fixed while checking for interoperability between system components and other systems. Code reviews should be completed during this phase.
Documentation - The internal design of the software is completed and formally documented. Users guides and manuals are created
Deployment - The system is tested and accepted by the customer and the system is put into production. Training is provided.
Maintenance - Changes are made to the system and problems are fixed over the life of the system. For some iterative projects, the phases may repeat in some form where updates are done, testing is done, and documentation and training are updated. Software change management must be used to be sure changes are autohorized and documented.
During the product development cycle allow for:
Security education - Application developers, testers, and managers should have security training. Training about code mistakes that lead to security vulnerabilities will help code reviewers find flaws
External code review
Security team review of the application design