Software development has changed significantly over the years. In the past, the waterfall model was the predominant methodology, where development occurred in sequential phases: requirements analysis, design, implementation, testing, and maintenance. Each phase had to be completed before the next could begin.
Basics and History of Software Development
Over time, agile methods such as Scrum and Kanban became popular, which follow an iterative approach and enable closer collaboration between development teams and stakeholders. These methods allow for faster response to changes and continuous value delivery.
The next evolutionary step was DevOps, which brings together Development and Operations. DevOps practices such as Continuous Integration (CI) and Continuous Deployment (CD) enable software to be delivered faster and more reliably.
Waterfall
Agile
DevOps
Testing – Functionality vs. Security
Traditionally, testing focused primarily on the functionality of the software. It was checked whether the software met the specified requirements and whether it worked as expected. Security aspects were often neglected or only considered late in the development process.
This is problematic because security vulnerabilities discovered only in later phases are significantly more expensive to fix. Studies show that the cost of fixing errors increases exponentially the later they are found in the development cycle.
For example, a defect discovered in the requirements phase costs only a fraction of what it would cost to fix the same error in the production phase – often the difference is by a factor of 100 or more.
Furthermore, research shows that 64% of all software defects originate in the requirements and design phases. This underscores the importance of integrating security into the development process from the very beginning.
Embedding Security in the SDLC
To effectively integrate security into the Software Development Life Cycle (SDLC), the concept of the Secure Software Development Life Cycle (SSDLC) was developed. SSDLC extends the traditional SDLC with security-specific activities in every phase of the development process.
There are various SSDLC models and frameworks that support companies in integrating security into their development processes:
Prescriptive Models
These models provide concrete guidelines and best practices:
- Microsoft SDL (Security Development Lifecycle): A framework developed by Microsoft with specific security requirements for each SDLC phase
- NIST SSDF (Secure Software Development Framework): A framework from the National Institute of Standards and Technology that defines practices for minimizing security risks
- OWASP SAMM (Software Assurance Maturity Model): A framework that helps organizations evaluate and improve their software security practices
Descriptive Models
These models analyze existing practices:
- BSIMM (Building Security In Maturity Model): A data-driven model based on the analysis of real security initiatives from companies, showing what other organizations actually do
The most important insight is: Take ONE instead of NONE. Any SSDLC framework is better than none at all. It's more important to start with a structured approach than to find the "perfect" approach.
In the next article, we will look in more detail at the various SSDLC models and examine how to apply them in practice. We will also take a closer look at the concept of "Shift-Left" – an approach that aims to perform security testing as early as possible in the development process.