SDLC - At what stage in the cycle do you "bring up" security?

During the development life cycle, it is important to plan for security integration. At what stage in the cycle do you "bring up" security?

SDLC could be taken as system development life cycle (Initiation, Acquisition/development, Implementation, Operation/maintenance, and Disposal) or software development life cycle (Requirements gathering, Design, Development, Testing/Validation, Release/Maintenance in general), since basic needs for computer systems may be different from developing software securely. As long as we are following a structure and nothing is being missed on security side and various steps involved, we are good.

Overall, whether we talk about system development life cycle or software development life cycle, security must be integrated in each and every phase involved.

What is Secure Software Development? 

When security of the application is being on priority while each phase of development and all the possible measures have been taken, keeping in mind Confidentiality availability and integrity of the app right from beginning to end, no matter what model we follow, it's Secure Software Development.

As per Microsoft , "The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost"

Phase 1 Training

1. Core Security Training

Phase 2 Requirements

2. Establish Security and Privacy Requirements

3. Create Quality Gates/Bug Bars

4. Perform Security and Privacy Risk Assessments

Phase 3 Design

5. Establish Design Requirements

6. Perform Attack Surface Analysis/ Reduction

7. Use Threat Modeling

Phase 4 Implementation

8. Use Approved Tools

9. Deprecate Unsafe Functions

10. Perform Static Analysis

Phase 5 Verification

11. Perform Static Analysis

12. Perform Fuzz Testing

13. Conduct Attack Surface Review

Phase 6 Release

14. Create an Incident Response Plan

15. Conduct Final Security Review

16. Certify Release and Archive

Phase 7 Response

17. Execute Incident Response Plan

On the similar  lines, Web Application Security Project (OWASP)  talks about many recommendations that could integrate in each phase.


Web Application Security Consortium (WASC) , talks about top attack methods against which application must be safeguard under Secure Software Development.