Importance of incorporating security within the System Development Life Cycle (SDLC)

This blog provides an overview on the importance of integrating security across the System's Development Life Cycle (SDLC) when developing or integrating new applications.

What is a System Development Life Cycle (SDLC)?

An SDLC methodology is a conceptual model that addresses software engineering phases when a new system is being introduced into the organization and/or in-house developed either as a product for an organization to offer it's consumers and/or an organization that has a unique set of requirements that aren't offered by software companies currently in the market.

While there are many methodologies in place, the guidance for incorporating security can be easily delineated by addressing specific tasks within the phases of software engineering and/or as part of Commercial over-the-shelf (COTS) acquisition review process. In addition to the software engineering phases, this incorporates security when the system is no longer needed and/or is being replaced. The key areas within the phases include, but are not limited to, the following:


Phase Description
Initiation During this phase, security is looked at in terms of business risks with input from Tier 1 & Tier 2 MGMT personnel. The key security activities include, but are not limited to, the following:

  • Justification for the need of developing an in-house application vs considering a Commercial off-the-shell (COTS) application, if applicable;
  • Funding and Resources required for ensuring the system is developed securely;
  • Initial delineation of business requirements in terms of confidentiality, integrity, and availability;
  • Determination of information categorization and identification of known special handling requirements to transmit, store, or create information such as Personally Identifiable Information (PII) or Protected Health Information (PHI); and
  • Determination of privacy requirements.

Development/ Acquisition In this phase, Tier 2 personnel will initiate the process for acquiring the necessary resources delineated during the first phase and initiate the acquisition, delineate the security baselines impacting the system components, and initiate the security documents development. The Key security activities for this phase, include but are not limited to, the following:

  • Identify the COTS applications required for development and initiate the acquisition process;
  • Conduct a Risk Assessment and leverage the results to supplement the baseline controls deemed essential in accordance with the system's FIPS 19 Security Categorization Level (i.e., LOW, MOD, HIGH);
  • Identify the security requirements that must be supported by the system as part of the Functional Requirements and document within the "Design Document"';
  • Analyze the system requirements impacting the system;
  • Review the system's architecture to delineate the security architecture impacting it's components;
  • Perform functional and security testing;
  • Develop initial documentation for accrediting the system.

Implementation/ Assessment During this phase, the components required for developing the system are installed and evaluated. The system development process begins and is assessed as it is built during various stages prior to being accredited. The key security activities for this phase, include but are not limited to, the following:

  • Integration of the system into the organization's environment in accordance with the approved security architecture;
  • Planning and Development of accreditation level activities in synchronization with testing of security controls; and
  • Finalization of the activities required to accredit the system for goLive.

Operation/ Maintenance During this phase, the systems that have been accredited are in place and operating, enhancements and/or modifications to the systems are developed and tested, and hardware and software is added or replaced in accordance with the organization's configuration management process. The components are monitored for performance and assess periodically to determine how the system can be configured to be more effective, secure, and efficient while complying with the security requirements deemed necessary. The system's operation continues as long as it can be effectively adapted to meet organizational needs while maintaining an agreed-upon risk level. The key security activities for this phase, include but are not limited to, the following:

  • Operational readiness review;
  • Configuration Management;
  • Institution of processes and procedures for ensuring operations and continuous monitoring activities of the system's security posture; and
  • Re-Authorization to ensure it complies with the organization's risk appetite and acceptable risk level.

Disposal This phase takes place when the system is no longer required and/or is being replaced with a more secured updated option and is set for disposal and closeout of business contracts in place. The activities within this phase ensure the orderly termination of the system and preservation of vital information so that some or all of the information can be reactivated in the future, if deemed necessary. The key security activities for this phase, include but are not limited to, the following:

  • Development of a Disposal/ Transition Plan;
  • Archive of critical information in accordance with the record management regulations and standards impacting the system;
  • Sanitization of media; and

  • Proper disposal of hardware components.

Are there different SDLC Methodologies?

Yes. There are many methodologies that can be used by an organization to effectively develop a system. The expected size and complexity of the system, the development schedule, and the anticipated length of a system’s life may affect the choice of which SDLC model to use. The methodology selected will depend on the organization's acquisition policy and funding. The table below provides an overview of the most common SDLC options.

Methodology Description
Waterfall In this model, the software development process is divided in separate phases and each phase must be completed before the next phase can begin. There's no overlapping in the phases. It is a sequential design process in which progress is seen as flowing steadily downwards (like a waterfall) through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/ Implementation and Maintenance.
Rapid Application Development (RAD) This methodology creates an application more quickly by employing techniques aimed at speeding application development, such as the use of fewer formal methodologies and reuse of software components. In exchange for faster development, some compromises in functionality and performance may be realized. It is important to ensure, however, that this exchange for a faster product delivery does not result in compromises being made in the selection and specification of the security controls necessary to provide adequate security for the information and the information system, and the mission function they support.
Joint Application Development (JAD) In this methodology, the client or end user collaborates with the developers through JAD sessions to design and develop an application. Because the development process involves greater involvement of the client, this methodology may lead to faster development and greater client satisfaction.
AGILE There are different agile methods, but the common goal is to adapt to change and deliver working software as quickly as possible. This model allows the customer to see the result and determine if it satisfies the needs of the organization. It consist of short weekly meetings-- sprints which are part of a SCRUM approach. The biggest disadvantage is the absence of define requirements , those making it difficult to estimate the resources and development cost.

Today, the methodology used by most organizations is AGILE. However, before selecting such is important to grasp the methodology in order to determine the best way to integrate security within. In many instances, this process fails to incorporate Configuration Management, which is essential for keeping track of changes approved.

My advice.... before selecting a methodology, perform research on each and clearly identify the PROS and CONS for each methodology.

Why is it important to incorporate security into the SDLC Process?

It is importance because early integration of security within the SDLC process will enable an organization to maximize return on investment in their security programs, through:

  • Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation;
  • Awareness of potential engineering challenges caused by mandatory security requirements associated with a standard (i.e., NIST, HIPPA, PCI, etc.)
  • Identification of shared security services and reuse of security strategies and tools to reduce development cost nd schedule while improving security posture through proven methods and techniques;
  • Facilitation of informed executive decision making through comprehensive risk management in a timely manner;
  • Improved organization and customer confidence to facilitate adoption and usage as well as confidence to promote continued investment; and
  • Improved systems interoperability and integration that would otherwise be hampered during the various phases of the SDLC process.

What's the best approach to implement security within the SDLC?

The most effective way to accomplish the integration of security within an SDLC is to plan and implement a comprehensive risk management program. This will result in integrated security costs and requirements as well as an embedded, repeated authorization process that provides risk information to Tier 1 stakeholders and personnel (I.e., Developers) throughout the organization.

The SDLC is best applied as part of the RMF Tier 2 and should be an Enterprise Level Process that is approved by Tier 1 Management in conjunction with the organization's Enterprise Architecture. This will allow for security planning at an enterprise level that allows reuse, decreases cost and schedule development, and promotes security reliability.

Interested on learning more? Contact US via our site form at 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Wednesday, October 3 2018 20:25

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL :

This post's comments feed