The secure development lifecycle describes the approach that is used to define, develop, deliver and maintain software.
This lifecycle is intended to be used by software teams including product managers, designers, developers and quality assurance to develop secure software products. This policy describes the lifecycle of feature development.
This lifecycle integrates security into all aspects of application software development which is comprised of six phases.
- Identify the scope, goals, and necessary resources for development
- Define functional and security requirements for the feature
- Considering core engineering principles
- Security controls such as authentication, data encryption, and secure communication protocols
- Inform the marketing team and customer support of the projected timelines, features, and any potential market impacts
- Create a feature description that incorporates identified security controls and meets definition of ready
- Perform threat modeling to identify potential risks and design appropriate countermeasures (e.g. 4 question framework)
- Document design decisions, security controls, implementation and verification
- Adhere to coding standards and secure coding practices
- Implement features and security controls according to the design
- Conduct code review for all changes
- Ensure automated code quality and security testing checks are passing
- Perform testing to validate the application meets desired requirements. The testing methodology is set by project specific guidelines.
- Conduct security testing identified during the planning phase (e.g. static code analysis, dynamic scanning, and penetration testing)
- Address identified issues and vulnerabilities, and validate the effectiveness of fixes
- Document testing activities and results for the feature
- Prepare the application for deployment, considering secure configuration and hardening measures
- Utilize secure deployment practices, such as code signing and secure distribution channels
- Implement mechanisms for secure updates and patches to ensure ongoing security
- In the event of security breach or incident, follow established incident response plan
- Monitor for issues and security vulnerabilities, and apply patches or updates according to triage framework
- Collect and analyze user feedback to identify potential issues or security vulnerabilities
- Incorporate security enhancements and bug fixes into future releases
- Continuously evaluate and improve the security posture of the application