The standard software development cycle has the following four phases: Requirement analysis and design, Development (Coding), Testing, Deployment.
According to a SANS whitepaper, each of these phases has certain security responsibilities to fulfill.
- Requirement analysis and Design: Requires a high-level risk assessment, identification of possible security vulnerabilities based on destructive use cases, and implementation of security design practices.
- Development (Coding): Implementation of security controls and secure coding guidelines.
- Testing: Security testing, penetration testing, blue team testing (apart from the traditional functional and regression testing)
- Deployment: Securing migration processes, post-production security.
It is clear that the Deployment phases is the easiest one in this life cycle. It requires –
- automated installers and uninstallers
- deployment using least privilege security models
- no backdoors
- documentation that doesn’t contain any default accounts
- every configuration parameter to be findable
This is mostly straightforward when compared to the security measures necessary in the other three phases.
Haridas, N. (2007, April 2). Software Engineering – Security as a Process in the SDLC. Retrieved from https://www.sans.org/reading-room/whitepapers/securecode/software-engineering-security-process-sdlc-1846
Deployment. (n.d.). Retrieved from https://www.owasp.org/index.php/Deployment