What is a secure software development lifecycle (SSDLC)?

Secure software development lifecycle (SSDLc) is a software development lifecycle (SDLc) concept with a focus on building a secure product. The approach requires applying security testing to all stages of software solution development, from design to implementation.

In most cases, five phases of the secure software development process are allocated:

  • Drawing up requirements for the product or feature;
  • Design and analysis of market solutions;
  • Development;
  • Testing;
  • Deployment of the solution.

The differences between SSDLc and SDLc are only in practices and activities that allow you to call the process secure.

SSDLc process

There is no unified process for SSDLc. For each company, a secure software development lifecycle is formed in relation to its resources, goals, and competencies.

To implement SSDLc, we recommend examining the following standards for a comprehensive study of secure development practices:

  • NIST Cybersecurity framework;
  • BSIMM framework;
  • OWASP OpenSAMM.

SSDLC phases

SSDLc process can be divided into five phases and stages that were briefly covered up previously. Let’s take a closer look into each stage.

Phase 1: Requirements

At this stage of the secure software development lifecycle, the requirements for the product or functional solution (feature), also known as the terms of reference, are drawn up.

In addition to market (business) and basic technical requirements, the specification should also include information security requirements that meet regulatory requirements, international best practices, and internal software development and security policies.

Framing such requirements at an early stage is necessary for more correct calculations of the cost of implementation at the following SSDLc phase.

Phase 2: Design and analysis

The second SSDLc stage includes the design of the product architecture. The process includes designing the integration of the new infrastructure with the current one, framing the composition of the necessary software components, and describing the interaction between these components. All work is done considering the requirements for information security from the first stage.

Apart from it, information security specialists work on threat modeling, risk assessment, and protective measures planning. At this stage, threat intelligence may be used to conduct an accurate assessment of a threat landscape and risks for the future product relying on the latter’s industry, geographical distribution, and other parameters.

Stage 3. Development

Relying on the requirements and the design project built in the previous stages, a software development team forms a code base.

At the current stage of the secure software development lifecycle, the following tools are used:

  • static code analysis (SAST);
  • dependency analysis (SCA/OSA);
  • modular fuzzing of functions (CI-Fuzzing).

These SSDLc tools significantly reduce the risk of simple vulnerabilities caused by overlooking appearing in the wild.

Stage 4. Testing

This SSDLc stage includes the implementation of a trial product infrastructure and its verification for compliance with business requirements and use cases. The verification is performed by quality assurance specialists.

In parallel, dynamic testing (DAST) is performed in order to check the safety of a software solution.

At this SSDLc phase the third-party vendor could be hired for security assessment and testing. Such an approach allows an organization to evaluate the overall level of security, spot vulnerabilities and assess their severity, explore possible attack vectors, and get protection recommendations.

Stage 5. Deployment

This SSDLc phase includes infrastructure configuration to ensure the stable operation of the product for users.

The stage includes the following information security activities:

  • Checking server configurations/infrastructure manifests;
  • Formation and support of IPS/IDS systems;
  • Formation and support of WAF;
  • Formation and support of SIEM systems with prompt response to incidents;
  • Ensuring proactive response (SOC).

At this stage, a company could sign an agreement with a third-party cybersecurity vendor to counter the possible attacks and cybersecurity incidents. For instance, for banking applications or eCommerce software that traditionally suffer from fraud Group-IB Fraud Protection may be applied. For software under a high risk of breaches or targeted attacks the incident response retainer agreement may be signed to ensure the fastest possible response in case of emergency.