LECTURE NOTE02

Course Code: CMP 321

Course Title: System Analysis and Design

Synopsys Home Page Application Security

SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

| Benchmark your software security program✕

Software Development Life Cycle (SDLC)

Benchmark your software security program

Home Glossary

Table of Contents

How was the SDLC created?

Why is the SDLC important?

The role of security in the SDLC

How does the SDLC work?

What are the SDLC models/methodologies?

SDLC best practices

How can Synopsys help?

The future of the SDLC

Definition

The Software Development Life Cycle (SDLC) is a structured process that enables the production of high-quality,
low-cost software, in the shortest possible production time. The goal of the SDLC is to produce superior software
that meets and exceeds all customer expectations and demands. The SDLC defines and outlines a detailed plan
with stages, or phases, that each encompass their own process and deliverables. Adherence to the SDLC
enhances development speed and minimizes project risks and costs associated with alternative methods of
production.

How was the SDLC created?

In the 1950s and 1960s, computer science progressed rapidly. This swift evolution sparked the beginnings of a
production framework that eventually grew into the SDLC we know today.
Prior to the 1950s, computing was not elaborate enough to necessitate a detailed approach like the SDLC. As
the complexity and scale of programming grew, the concept of structured programming emerged. Over time,
structured programming demanded more tactical development models, thus sparking the beginnings of the SDLC.

Why is the SDLC important?

It provides a standardized framework that defines activities and deliverables

It aids in project planning, estimating, and scheduling

It makes project tracking and control easier

It increases visibility on all aspects of the life cycle to all stakeholders involved in the development process

It increases the speed of development

It improves client relations

It decreases project risks

It decreases project management expenses and the overall cost of production

The role of security in the SDLC

The initial concept and creation of the SDLC only addressed security activities as a separate and singular task,
performed as part of the testing phase. The shortcomings of this after-the-fact approach were the inevitably high
number of vulnerabilities or bugs discovered too late in the process, or in certain cases, not discovered at all.
Today, it is understood that security is critical to a successful SDLC, and that integrating security activities
throughout the SDLC helps create more reliable software. By incorporating security practices and measures into
the earlier phases of the SDLC, vulnerabilities are discovered and mitigated earlier, thereby minimizing overall
time involved, and reducing costly fixes later in the life cycle.

This idea of ‘baking-in’ security provides a ‘Secure SDLC’- a concept widely recognized and adopted in the
software industry today. A secure SDLC is achieved by conducting security assessments and practices during
ALL phases of software development.

With modern application security testing tools, it is easy to integrate security throughout the SDLC. In keeping
with the ‘secure SDLC’ concept, it is vital that security assurance activities such as penetration testing, threat
modeling, code review, and architecture analysis are an integral part of development efforts.

The primary advantages of pursuing a secure SDLC approach include

More secure software as security is a continuous concern

Awareness of security considerations by stakeholders

Early detection of flaws in the system

Overall reduction of intrinsic business risks for the organization.

How does the SDLC work?

Planning phase

The planning phase encompasses all aspects of project and product management. This typically includes resource
allocation, capacity planning, project scheduling, cost estimation, and provisioning.

During the planning phase, the development team collects input from stakeholders involved in the project;
customers, sales, internal and external experts, and developers. This input is synthesized into a detailed definition
of the requirements for creating the desired software. The team also determines what resources are required to
satisfy the project requirements, and then infers the associated cost.

Expectations are clearly defined during this stage as well; the team determines not only what is desired in the
software, but also what is NOT. The tangible deliverables produced from this phase include project plans,
estimated costs, projected schedules, and procurement needs.

Coding phase

The coding phase includes system design in an integrated development environment. It also includes static code
analysis and code review for multiple types of devices.

Building Phase

The building phase takes the code requirements determined earlier and uses those to begin actually building the
software.

Testing Phase

The phase entails the evaluation of the created software. The testing team evaluates the developed product(s) in
order to assess whether they meet the requirements specified in the ‘planning’ phase.

Assessments entail the performance of functional testing: unit testing, code quality testing, integration testing,
system testing, security testing, performance testing and acceptance testing, as well as nonfunctional testing. If a
defect is identified, developers are notified. Validated (actual) defects are resolved, and a new version of the
software is produced.

The best method for ensuring that all tests are run regularly and reliably, is to implement automated testing.
Continuous integration tools assist with this need.

Release Phase

The release phase involves the team packaging, managing and deploying releases across different environments.

Deploy Phase
In the deployment phase, the software is officially released into the production environment.

Operate Phase

The operate phase entails the use of the software in the production environment.

Monitor Phase

In the monitor phase, various elements of the software are monitored. These could include the overall system
performance, user experience, new security vulnerabilities, an analysis of bugs or errors in the system.

What are the SDLC models/methodologies?

Waterfall

Waterfall represents the oldest, simplest, and most structured methodology. Each phase depends on the outcome
of the previous phase, and all phases run sequentially. This model provides discipline and gives a tangible output
at the end of each phase. However, this model doesn’t work well when flexibility is a requirement. There is little
room for change once a phase is deemed complete, as changes can affect the cost, delivery time, and quality of
the software.

Agile

In the agile methodology produces ongoing release cycles, each featuring small, incremental changes from the
previous release. At each iteration, the product is tested. The agile model helps teams identify and address small
issues in projects before they evolve into more significant problems. Teams can also engage business stakeholders
and get their feedback throughout the development process.

Lean

In the lean methodology for software development is inspired by lean manufacturing practices and principles. The
lean principles encourage creating better flow in work processes and developing a continuous improvement culture.
The seven lean principles are:

Eliminate waste

Amplify learning

Make decisions as late as possible

Deliver as fast as possible

Empower your team

Build integrity in
Build holistically

Iterative

In the iterative process, each development cycle produces an incomplete but deployable version of the software.
The first iteration implements a small set of the software requirements, and each subsequent version adds more
requirements. The last iteration contains the complete requirement set.

Spiral

In the spiral development model, the development process is driven by the unique risk patterns of a project. The
development team evaluates the project and determines which elements of the other process models to incorporate.

V-Shaped

In the V-shaped model, verification phases and validation phases are run in parallel. Each verification phase is
associated with a validation phase, and the model is run in a V-shape, where each phase of development has an
associated phase of testing.

SDLC best practices

The most important best practice to implement into your SDLC is effective communication across the entire team.
The more alignment, the greater the chances for success.

Signs of a well-implemented SDLC include:

The successful deployment of a comprehensive application security program

Code quality standards

Effective collaboration across teams

Streamlined workflows

Cross-involvement of teams throughout the life cycle

SDLC common mistakes and challenges

There are several pitfalls that threaten to negatively impact an SDLC implementation. Perhaps the most
problematic mistake is a failure to adequately account for and accommodate customer and stakeholder needs in
the process. This results in a misunderstanding of system requirements, and inevitable disappointment with the
end-product.
Additionally, the complexity of the SDLC often causes a project to derail or teams to lose sight of specifics and
requirements. Without strict adherence to all aspects of the parameters and design plans, a project can easily
miss the mark.

How can Synopsys help?

As shown above, security is critical to the SDLC. Synopsys enables you to add security testing to an existing
development process, thereby streamlining security throughout the SDLC. Synopsys solutions help you manage
security and quality risks comprehensively, across your organization and throughout the application life cycle.

Synopsys offers solutions for each phase of the SDLC.

Comprehensive Product and Service Offerings for your entire SDLC

Synopsys offers products and services that can be integrated throughout your SDLC to help you build secure
code, fast.

Building Security In Maturity Model (BSIMM)- Measure and benchmark your software security program against
other security programs and industry best practices.

Maturity Action Plan (MAP) - Get recommendations establish or improve your software security stance.

Software Testing Optimization - Help your team prioritize and create the right level of security testing.

Application Security Consulting Services Tackle your most challenging security and risk management initiatives
with on-demand help from experts.

Security Training/eLearning - Synopsys offers a wide range of education solutions to address your needs; from
understanding the basics of coding standards, to developing advanced skills to build secure code.

Strategic Product and Service Offerings for your Specific SDLC Needs

Architecture Risk Analysis - Improve your security stance and ensure that you have secure design practices in
place by identifying flaws within your systems designs.

For your planning phase activities

Threat Modeling - Bring your application design weaknesses to light by exploring potential hacker exploits.
Spot design flaws that traditional testing methods and code reviews might overlook.

For your planning phase activities

Coverity SAST- Analyze source code to find security vulnerabilities that make your organization’s applications
susceptible to attack. Address security and quality defects in code while it is being developed, helping you
accelerate development an increase overall security and quality.
For your code and build phase activities

Seeker- Automate web security testing within your DevOps pipelines, using the industry’s first IAST solution
with active verification and sensitive-date tracking for web-based applications, cloud based, microservices based &
containerized apps, (IAST) uses dynamic testing (a.k.a. runtime testing) techniques to identify vulnerabilities in
running web applications.

For your test and release phase activities

Defensics- Identify defects and zero-day vulnerabilities in services and protocols. Defensics is a comprehensive,
versatile, automated black box fuzzer that enables organizations to efficiently and effectively discover and
remediate security weaknesses in software.

For your test and release phase activities

White Hat Dynamic- Dynamic analysis evaluates an application while executing it to uncover issues with its
runtime behavior.

For your deploy, operate, and monitor phase activities

Black Duck Software Composition Analysis - secure and manage opensource risks in applications and
containers. Black duck offers a comprehensive software composition analysis (SCA) solution for managing
security, quality, and license compliance risk that comes from the use of open source and third-party code in
applications and containers.

Black Duck offers support from the code phase of your SDLC through your monitor phase activities:

Integrate Black Duck into bug and issue trackers to enable developers to track and manage opensource issues
found both in the test and release phases.

Automated ticket creation related to policy violations and security alerts helps teams manage issues in the
systems they already use to speed time to resolution and efficiently manage testing work.

Teams can perform a final scan for opensource security, license or operational issues before the application is
deployed to production.

Leverage advanced vulnerability remediation guidance, opensource license information and policy controls to
eliminate opensource risk in applications and containers.

Continuously monitor applications and containers in production for new opensource vulnerabilities and alert
teams where they work so they can patch issues quickly before a potential exploit occurs.
Black Duck integrates directly into the developers IDE to flag potential issues in opensource components as
they code, and integrations into package managers and build tools automate the discovery of opensource
dependencies to ensure a complete and accurate opensource bill of materials (BoM).

Synopsys Application Security Testing Services offer the solution for applying AppSec testing effectively across
your full application portfolio. Accelerate and scale application security testing with on-demand resources and
expertise when you lack the resources or skills to achieve your risk management goals.

Application Security Testing Services offer support from the code phase of your SDLC through your monitor
phase activities:

Dynamic Application Security Testing (DAST) - If your team lacks the resources for effective DAST testing,
Synopsys DAST allows you to analyze web applications at any time without the cost or complexity of in-house
DAST.

Penetration Testing - Synopsys Penetration Testing uses multiple testing tools and in-depth manual tests
focusing on business logic to find and try to exploit vulnerabilities in running web applications or web services.

SAST - Synopsys SAST enables you to quickly and cost-effectively implement and scale static analysis to
systematically find and eliminate security vulnerabilities found in source code.

Penetration testing - Penetration testing analysis helps you find and fix exploitable vulnerabilities in your server-
side applications and APIs. Reduce your risk of a breach by identifying and exploiting business-critical
vulnerabilities, before hackers do.

For your operate and monitor phase activities

Red Teaming - Ensure your network, physical, and social attack surfaces are secure. Vulnerabilities may seem
small on their own, but when tied together in an attack path, they can cause severe damage. Our red team models
how a real-world adversary might attack a system, and how that system would hold up under attack.

For your operate and monitor phase activities

Synopsys Software Integrity Portfolio

The future of the SDLC

With the adoption of faster and newer development life cycles, organizations are moving away from older SDLC
models (waterfall, for example). With ever-increasing demands for speed and agility in the development process,
automation has played a key role.

Development and operations are merging into a DevOps capability, as the boundaries between disparate teams
has been slowly dissolving in favor of a streamlined and synchronized approach to development.

Newer approaches to the SDLC have emerged as DevOps, a combination of philosophies and practices that
increase an organization’s ability to deliver applications more quickly. As SDLC methods shift more toward a
DevOps SDLC, consideration of the role security plays must also be addressed. Security is no longer a separate
and compartmentalized step in the SDLC-in order to guarantee secure software, produced at the speed of DevOps,
security is now being viewed as a critical component throughout the SDLC.

In coming years, no doubt, organizations will adopt not only a DevOps approach to their SDLC, but a more
evolved DevOps methodology, where security is baked into the entirety of the SDLC. In order to guarantee the
success of this modern software development model, an organization must be strategic in selecting tools that
support and enhance this effort. As a proven leader in the application security field, Synopsys offers a
comprehensive suite of products and services perfectly tailored to this effort.

Manage Risk at Enterprise Scale

RESEARCH PAPER

Software Vulnerability Snapshot

Software Vulnerability Snapshot

Learn about the 10 most common web app vulnerabilities

EBOOK

Build software security initiative in 5 steps

Manage your AppSec Risk

Get actionable insight to manage your software risk

EBOOK

Consolidate and Simplify AppSec to Manage your Software Risk

BLOG

How to Evaluate the ROI of your Software Security Program

Learn where to look for ROI in an AppSec program

Questions about application security?

Contact us

Footer

Synopsys Home Page

Corporate Headquarters

675 Almanor Ave

Sunnyvale, CA 94085

Customer Support

650-584-5000

800-541-7737

Worldwide Location

View our office locations

Products

Application Security

Semiconductor IP

Verification
Design

Silicon Engineering

Resources

Solutions

Services

Support

Community

Academic & Research Alliances (SARA)

Manage Subscriptions

Corporate

About Us

Careers

ESG

Inclusion & Diversity

Investor Relations

Contact Us

Legal

Privacy

Trademarks & Brands

Software Integrity Agreements

Security

Follow

©2023 Synopsys, Inc. All Rights Reserved

[30/09, 13:13] +234 803 595 0006: Software

Quality
Home Agile, DevOps and software development methodologies

DEFINITION

systems development life cycle (SDLC)

Alexander S. Gillis, Technical Writer and Editor

The systems development life cycle (SDLC) is a conceptual model used in project management that describes the
stages involved in an information system development project, from an initial feasibility study through
maintenance of the completed application. SDLC can apply to technical and non-technical systems. In most use
cases, a system is an IT technology such as hardware and software. Project and program managers typically take
part in SDLC, along with system and software engineers, development teams and end-users.

Every hardware or software system will go through a development process which can be thought as an iterative
process with multiple steps. SDLC is used to give a rigid structure and framework to define the phases and steps
involved in the development of a system.

SDLC is also an abbreviation for Synchronous Data Link Control and software development life cycle. Software
development life cycle is a very similar process to systems development life cycle, but it focuses exclusively on the
development life cycle of software.

SDLC models

Various SDLC methodologies have been developed to guide the processes involved, including the original SDLC
method, the Waterfall model. Other SDLC models include rapid application development (RAD), joint application
development (JAD), the fountain model, the spiral model, build and fix, and synchronize-and-stabilize. Another
common model today is called Agile software development.

Frequently, several models are combined into a hybrid methodology. Many of these models are shared with the
development of software, such as waterfall or agile. Numerous model frameworks can be adapted to fit into the
development of software.

In SDLC, documentation is crucial, regardless of the type of model chosen for any application, and is usually
done in parallel with the development process. Some methods work better for specific kinds of projects, but in the
final analysis, the most crucial factor for the success of a project may be how closely the particular plan was
followed.

Steps in SDLC

SDLC can be made up of multiple steps. There is no concrete set number of steps involved. Around seven or eight
steps appear commonly; however, there can be anywhere from five upwards to 12. Typically, the more steps
defined in an SDLC model, the more granular the stages are.
In general, an SDLC methodology follows these following steps:

Analysis: The existing system is evaluated. Deficiencies are identified. This can be done by interviewing users of
the system and consulting with support personnel.

Plan and requirements: The new system requirements are defined. In particular, the deficiencies in the existing
system must be addressed with specific proposals for improvement. Other factors defined include needed features,
functions and capabilities.

Design: The proposed system is designed. Plans are laid out concerning the physical construction, hardware,
operating systems, programming, communications and security issues.

Development: The new system is developed. The new components and programs must be obtained and installed.
Users of the system must be trained in its use.

Testing: All aspects of performance must be tested. If necessary, adjustments must be made at this stage. Tests
performed by quality assurance (QA) teams may include systems integration and system testing.

Deployment: The system is incorporated in a production environment. This can be done in various ways. The new
system can be phased in, according to application or location, and the old system gradually replaced. In some
cases, it may be more cost-effective to shut down the old system and implement the new system all at once.

Upkeep and maintenance: This step involve changing and updating the system once it is in place. Hardware or
software may need to be upgraded, replaced or changed in some way to better fit the needs of the end-users
continuously. Users of the system should be kept up-to-date concerning the latest modifications and procedures.

Other steps which may appear include project initiation, functional specifications, detailed specifications,
evaluation, end-of-life and other steps that can be created by splitting previous steps apart further.

Advantages and disadvantages of SDLC

Benefits of abiding by a clearly defined SDLC model include:

Having a clear view of an entire project, workers involved, estimated costs and timelines.

Gives project managers a projected base cost of the project.

Goals and standards are clearly defined.

Developers can move back a step if something does not go as expected.

Disadvantages, however, can include:

Due to assumptions made at the beginning of a project, if an unexpected circumstance complicates the
development of a system, then it may stockpile into more complications down the road. As an example, if newly
installed hardware does not work correctly, then it may increase the time a system is in development, increasing
the cost.

Some methods are not flexible.

It can be complicated to estimate the overall cost at the beginning of a project.

Testing at the end of development may slow down some development teams.

SDLC setup Creating SDLC

This was last updated in June 2019

Continue Reading About systems development life cycle (SDLC)

What you need to know about the ALM methodology

The System Development Life Cycle: A Phased Approach to Application Security

How should I implement a disaster recovery process in my SDLC approach?

Learn IT: Software development

Related Terms

automated testing

Automated testing is a software testing technique that automates the process of validating the functionality of
software and ... See complete definition

daily stand-up meeting

A daily stand-up meeting is a short organizational meeting that is held each day. See complete definition

iterative development

Iterative development is a way of breaking down the software development lifecycle (SDLC) of a large application
into smaller ... See complete definition

Dig Deeper on Agile, DevOps and software development methodologies

shift-left testing

By: Rahul Awati

iterative development

By: Rahul Awati

Hofstadter's law
By: Rahul Awati

waterfall model

By: Ben Lutkevich

-ADS BY GOOGLE

CLOUD COMPUTING

APPLICATION ARCHITECTURE

IT OPERATIONS

JAVA

AWS

Cloud Computing

How to modernize apps as part of the cloud migration process

Take stock of your applications, and modernize them where appropriate as part of a cloud migration. Learn about
the benefits of ...

3 factors that influence multi-cloud cost optimization

Without careful oversight, multi-cloud deployments can be expensive. These data management and security
practices can help IT ...

About Us Editorial Ethics Policy Meet the Editors Contact Us Advertisers Partner with Us Media Kit Corporate
Site

Contributors Reprints Answers Definitions E-Products Events Features

Guides Opinions Photo Stories Quizzes Tips Tutorials Videos

All Rights Reserved,

Copyright 2006 - 2023, TechTarget

Privacy Policy

Do Not Sell or Share My Personal Information