Application Security in SDLC
Throughout the SDLC there are points at which an application security consultant should get involved. Performing security activities across the lifecycle has proven to be far more cost-effective than either a “big design up front” security effort or a single pre-production security review or an application penetration testing. The reason for intervening at regular intervals is that potential issues can be detected early on in the development life cycle where they are less costly to address.
Integration of application security mechanisms into the System Development Life Cycle (SDLC) can yield dramatic results to the overall quality of the code developed.
Waterfall SDLC Example (alignment with application security practices):
- Requirements Definition
- Application Security Requirements
- Architecture and Design
- Application Threat Modelling
- Secure Coding
- Security Code Review
- Penetration Testing
- Secure Configuration Management
- Secure Deployment