Is the Traditional Software Development Cycle Adequate?
Production software is usually created using the software development life cycle (SDLC).
The phases are typically begin with gathering requirements, design, implementation, testing, and release (evolution). This basic life cycle does not account for vulnerabilities. The secure coding practices that we have learned in this course are surprisingly not a part of your average software development life cycle. Because security is not at the forefront of most software development life cycles, it’s no surprise that 80% of web applications in production today are vulnerable to common attacks!
How Is Security Handled in a Traditional Software Life Cycle?
What happens when vulnerabilities come up while testing? The issues are sent back to the development team. Redesigning and coding a lot of basic functionality can be a costly process.
What happens when vulnerabilities pop up after the software has been released? Since it's already in production, you can’t go back and fix the original code. Now, you have to create a patch and hope that the clients will apply it.
How can you avoid all these costly and time-consuming processes?
You guessed it, use your secure coding practices to do it right the first time!
Add Security to the Software Development Life Cycle
There are many organizations including OWASP that have proposed a security integrated life cycle (SDLC) or secure software development life cycle (SSDLC). There is still a lot of debate in the subject; however, in large scale web application production, security will most likely be integrated into the already used SDLC model used by the organization.
Because a proper security policy would include security mindedness in all processes, a focus on security should be integrated into all phases of the life cycle.
Let's Recap!
The SDLC is used by organizations with large software projects.
Traditionally it does not include secure coding as an integral part of the process.
The result of not ensuring security in SDLC is additional time and money used to fix unsecured code.
Use SSDLC to add security awareness in every phase of SDLC!