Strategic Benefits of Secure Software Development Lifecycle (SSDLC) Approach

Ever wondered about the biggest hitch in security planning for projects? The surprising and shocking answer is that there is no planning or very little planning on security, be it minor or major projects! Last minute additions and damage-control exercises come into play only after ‘Vulnerability Assessment and Penetration Testing’ (VAPT) which is conducted prior to ‘go live.’ Implementation of security controls at the end could affect inter-related functions in an application and also incur additional man-hours, costs and delays in go-live. On some occasions, there is severe time crunch between VPAT and ‘go-live’ date. The tight deadline and lack of man-hours gives little room for fixing issues and mitigating the identified risks. Hence, ‘first-time right,’ or ‘defect-free release’ software are far-fetched in these cases.

ReBIT has developed Secure Software Development Lifecycle (SSDLC) framework, for better security planning and implementation. The unique aspect of SSDLC framework are as follows:

• This framework plugs-in security activities and their output documents in each project development stage, right from Requirements stage to Disposal stage

• This transparency will help to estimate the efforts required to conduct each security activity

• Once these security activities and effort estimate are included in the project plan, the security engineer’s deliverables and timelines are clearly established

The framework introduces security stage gates at the end of each SSDLC stage. At the stage gate, output documents from security activities performed in that stage will be verified and approved. Once this is complete, the project development activities can proceed as per the next stage.

ReBIT has developed a RACI matrix for each output document which will outline the teams which are Responsible, Accountable, Consulted and Informed (RACI) for the outputs.

The diagram below provides a summary of the security activities that needs to be conducted in each stage. Click here to see the complete framework.

ReBIT’s SSDLC approach takes inspiration from the much-sought SSDLC model of the National Institute of Standards and Technology (NIST) and it has been tailored to suit our requirements. The approach calls for additional activities in project development phase, but the strategic benefits will overweigh the time and efforts invested in the additional activities.