DevOps is fine! Now we got to include the security in the DevOps process. Hence we got DevSecOps. We talked about DevSecOps a lot. But If you want to become an expert in DevSecOps, you need a Road Map to learn. As part of the Road Map to DevSecOps, this is part -1, talking about the Secure Software Development Life Cycle (S-SDLC). Secure SDLC is the process of assuring security activities like Code Review, Penetration Testing, and more in the SDLC framework.
What is Secure SDLC?
In simple words, the Secure Software Development Lifecycle is the process of assuring the Security Activities along with collecting the security requirements parallelly while collecting the usual functional requirements collection process in the SDCL.
So The definition is fine! we need to know what are the security activities and where and when to add it in the SDLC process. Read this article further to understand the activities of the Secure SDLC.
Activates in Secure SDLC.
Along with the Traditional SDLC, we have a couple of activities to be done to ensure Security in SDLC, we will see the Traditional SDLC and the Security Activates involved in each Process of SDLC,
Before that, as a recall, we will see, what are the phases of SDLC.
Each phase in the SDLC is having some security process which we will discuss one by one.
As we all know, Initiation or planning is the process of defining what we are going to do and why we are going to do it. So, in this, we will see what are the Security processes that are involved in this phase of SDLC.
Design and Requirement gathering
After the Initiation, defining the requirements and designing the product architecture is the phase where we have an important Security Activates to be performed. Because here we must define the capturable threats and its definitions with the review for the existing process. The Activates are,
In the Development process, It is important to perform certain Security Activity that are going to help reducing the risk and vulnerabilities. Also, It is important to follow certain Activates that will help automating the Security Analysis process with CICD.
Testing and Code Analysis
As we all know, Testing is an important pillar of the DevOps process. Similarly, For Security, It is an important phase were testing all the collected Matrix and parameters that are needed to be tested whether the developed product is having enough standard to mitigate the defined vulnerabilities.
Deployment and Operation
Deployment and Operational Monstrance is the final and important phase of the Software Development Lifecycle. Also, This phase is potentially exposing the Developed product into the real world where we might have unpredicted threats. Hence, we have the following process to mitigate security.
Each process in each phase is not just the theory, every single process will be implemented with the set of tools and application with the defined process and framework. As part of this Road Map to DevSecOps, we will discuss every process discussed in this article in detail with example and exercises.
This article is just the explanation of what is the Secure Software Development Life cycle and the Activates and process involved in each phase of the SDLC. We will soon see structured articles for the roadmap to become the expert in DevSecOps. In our upcoming article, we will discuss more on DevSecOps Maturity modeling (DSOMM), Code Analysis in CICD process, Detailed Penetration Testing process, and more. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
1 thought on “Secure SDLC (S-SDLC) – DevSecOps Road Map – Part -1.”
Pingback: Dynamic Analysis DAST with OWASP ZAP and Jenkins - Digital Varys