The SDLC (software development lifecycle a.k.a systems development lifecycle) is really just a fancy term that highlights the fact that there are many phases in the life of a system (whether a physical product, information system, or similar thing). These phases vary depending on who is writing about it, and the phases overlap considerably, and sometimes are ill-defined. There is a lot of iteration as well. Perhaps it’s better to talk about “things we do when planning, building, deploying and maintaining” but hey, the term stuck.
What kind of lifecycle phases are out there? These are things like Ideation, Planning, (Requirements) Analysis, Design, Implementation, Code Review, Testing, Documentation, Integration, Deployment, Maintenance, Evaluation, Retirement, Disposal.
Read about the SDLC at Wikipedia.
Security concerns need to be applied everywhere within the SDLC. But how? Rather than me explaining it, read through this excellent presentation.
Here’s a talk by the author of that presentation, Jim Manico:
How do we “do security” in the early (analysis and design phases) of the SDLC? You should first be pretty well-versed in security concepts, principles, and some known vulnerabilities, and then design accordingly. The design phase in a SSDLC (security-focused software development lifecycle) goes roughly like this:
You might also find that doing Domain-Driven Design helps.
All systems that manage assets in need of protection should have a documented threat model. When creating your Threat Model you take a holistic, global view of your system, and systematically document:
Documenting the threats you might face and what you will do if you encounter them is valuable documentation! If you have a plan in place to respond and fix and deploy a patch, you’ll be able to do so when the time comes. Faster and more efficiently.
Learn more by reading OWASP Threat Modeling Post and the Wikipedia article on Threat Modeling, then (don’t miss this one) this CMU SEI blog article by Nataliya Shevchenko.
Remember, you have to think like an attacker. Learn how to do this, even if it is hard. Most developers want to build, not break. Ask your QA friends about breaking things.
Now that you have a threat model in place, the software can be designed. Remember that every fiber of your being should apply secure software design principles as you spec out, code, and test your creation. In no particular order, here’s a list of design principles.
Domain-driven design, or DDD, can help with designing security in.
Informally, DDD is motivated by facts such as:
Taking the time to understand your domain, and defining behaviors and constraints at the point of model definition prevents many vulnerabilities and keeps you from having to bolt-on ad-hoc security rules later.
Eric Evans created the whole DDD thing and he summarizes it this way:
Domain-Driven Design is an approach to the development of complex software in which we:— Eric Evans, Domain-Driven Design Reference
- Focus on the core domain.
- Explore models in a creative collaboration of domain practitioners and software practitioners.
- Speak a ubiquitous language within an explicitly bounded context.
DDD is about:
A good domain model is simple (focusing on the relevant parts and abstracting away certain details), understandable, with a precise vocabulary. It is high-level enough to be separated from low-level concerns, but low-level enough to be mapped easily to code.
Examples of domains are: Baggage handling, Compilers, E-commerce, Trading. What are some others? In a domain of your choice, what are some of the things the system should do? What are the points in the system that a user or external system could input bad data?
There can be a danger in developing a massively general system and then trying to shoehorn different domains into it. Sometimes you get lucky. But you should really start with domain knowledge.
The five main definitions (from the Reference):
Building Blocks:
Designing for Change:
We’ve covered: