The Secure Development Lifecycle (SDL) is a structured approach to integrating information security into every phase of software development. There are several SDL models available, each with its own strengths and weaknesses.
Information security is a multifaceted field, which can make its inclusion in software development seem challenging. However, there are structured ways to integrate security into every phase of the development process. This approach is known as the Secure Development Lifecycle, more commonly referred to as SDL.
There are multiple SDL models, each offering different advantages and limitations. Well-known SDL models include:
- Microsoft Security Development Lifecycle
This is widely regarded as the most influential of all SDL models. It was originally developed for Microsoft’s internal development processes. Its general applicability is excellent; however, the trade-off is that the model is not particularly detailed. - OWASP Software Assurance Maturity Model (SAMM)
Like Microsoft’s SDL, this framework is technology-agnostic and suitable for a wide range of software development contexts. SAMM categorises security based on business functions and therefore also covers elements of governance and administrative security. The model includes three maturity levels and comes with its own assessment tool. - Building Security in Maturity Model (BSIMM)
BSIMM is based on an analysis of the security practices of over 130 organisations. It examines which security practices are most commonly used and which are the most difficult to adopt. The model was not designed specifically for technology companies, which means that on its own it often lacks the level of detail required for software projects.
The adoption of SDL is also supported by various standards and guidelines. For example, IEC 62443-4-1 is a standard for secure product development designed specifically for industrial automation systems.
Core components of SDL
Although SDL models vary in their details, they share many common elements. A comprehensive SDL typically includes the following components:
1. Governance and administrative security
In the governance phase, requirements imposed by the industry or legislation are identified, along with the security competencies expected from different stakeholders and the methods used to manage security risks.
2. Requirements management
Security requirements management focuses on threat modelling and the security context of the product. Threat modelling is a systematic technique for identifying potential threats to a software system. Following threat modelling, a risk analysis is carried out, and its outputs are used to define appropriate security controls.
3. Design
Security is often regarded as a design challenge, which is why SDL places strong emphasis on secure design principles. Key concepts include defence in depth and minimising the attack surface. It is important to note that this phase often reveals that not all requirements identified earlier can be fully implemented in the final design.
4. Implementation
The implementation phase focuses on tools and practices that help developers build secure software. Examples include CI/CD pipelines and static code analysis. It is during this phase that a software project often diverges most significantly from its original design.
5. Testing and verification
This phase includes both security testing and implementation verification. Testing focuses on the functionality and security of the product, ensuring that security controls operate as intended and that the product can withstand various types of security attacks. Verification, on the other hand, aims to identify gaps between the original design and the actual implementation.
6. Maintenance and incident management
The software lifecycle does not end with the release of the product. During the maintenance and incident management phase, the deployed software is monitored and further developed. In addition, processes are defined for responding to security incidents and vulnerabilities.
Conclusion
The Secure Development Lifecycle (SDL) is a crucial approach for integrating information security into every phase of software development. Although the security landscape can be complex, SDL-based models provide valuable guidance for navigating it.
Whether it is the Microsoft Security Development Lifecycle, OWASP SAMM or BSIMM, each SDL model offers distinct benefits for software development. To ensure that security remains an integral part of development, the activities defined by SDL must be consistently embedded into the organisation’s own software development processes.
