SDLC methodologies
23
Dec

7 SDLC methodologies that every Application Security Engineer should know

Over the years, the software development life cycle (SDLC) has been reintroduced with robust models adopted by security development teams across the globe. Each of these methodologies has advantages as well as disadvantages. Organizations are free to choose one that best suits their needs.

SDLC is a standard process of designing, developing, testing, and maintaining software. It focuses on developing cost-effective software within the best time possible. The software development team follows the chosen model for developing high-quality software.

For that, the team members must possess the required skills to develop software using secure SDLC. They should also be well-versed with various secure coding practices like input validation, cryptography, session management, and several others.

While making a choice, consider that different models offer a specific degree of flexibility. Although all these models follow different procedures, the goal is to provide high-quality software that is cost-effective within the best time possible.

Secure SDLC should be considered an industry-standard approach to deliver secure software. It can be divided into six phases to ensure the incorporation of security elements in the entire software development journey.

Common SDLC Models

Here are the most common SDLC models that every software security engineer should know:

1. Waterfall Software Development Life Cycle

This is a traditional approach that is falling out of favor because of its rigid nature. The model demands all system requirements ahead of time, while customer interaction is possible in the beginning phase only. Several experts claim that the waterfall model was never supposed to be used for developing software.

But there are those who appreciate the straightforward appeal of the model. It is a step-by-step approach with no turning back. The successive phase requires the information gathered in the preceding one.

Pros of Waterfall SDLC Cons of Waterfall SDLC
  • With technical documentation in the initial phase, the entire team understands their individual objectives.
  • Progress monitoring is easy as each phase has a strict discipline.
  • With test scenarios being defined in the functional specification of the requirements phase, testing becomes more natural and transparent.
  • With clear documentation, the team and the client know what outcome to expect.
  • Unsatisfied clients as their random requests can’t be fulfilled.
  • The model offers no flexibility to cater to changes or new developments.
  • Compared to iterative methodology like Agile, this model may take longer to deliver a project.

2. Iterative Software Development Life Cycle

Unlike the stringent stepwise waterfall model, the iterative methodology begins by defining a subset of software requirements. Throughout the development process, the project iteratively evolves until the final system is implemented and successfully deployed. An iterative software development life cycle never starts with complete documentation of system requirements; it enhances with each phase.

Pros of Iterative SDLC Cons of Iterative SDLC
  • Early detection of potential flaws.
  • Documentation will not be time-consuming.
  • It is best suited for projects requiring continuous modifications.
  • Testing and debugging becomes easy because of continuous iteration at each phase.
  • It may require additional resources.
  • Careful management is required.
  • It is not suitable for smaller projects.
  • The project delivery time is highly dependent on the risk analysis.

3. Spiral Software Development Life Cycle

It is a combined idea of iterative and waterfall models with a major focus on risk analysis. Each phase in this model starts with a design goal and ends with the client approving the outcome of the phase.

As per this approach, the software development team begins with the pre-defined subset of software requirements and drifts through all the development phases with those sets of requirements. For every additional requirement, the team needs to add extra functionality in every spiraling phase until the software enters the production phase.

Pros of Spiral SDLC Cons of Spiral SDLC
  • The development phase can be defined by the project manager, depending upon the complexity of the project. This makes the spiral SDLC one of the most flexible models.
  • Each phase involves the key stakeholders, making the project monitoring the easiest of all.
  • This model is more transparent than others as shareholders can monitor the progress.
  • Risk management is an integral part of spiral model.
  • The model is flexible enough to update changes without much extra work.
  • The spiral methodology is the best choice for high-risk projects and products that require high customization privileges.
  • It is an expensive model.
  • A skilled professional is required to review the project at regular intervals.
  • This model comes with pre-defined rules and protocols, which need to be followed throughout the process.
  • Customization makes it impossible to use the same prototype for other projects.
  • It is not needed for low-risk projects.
  • Meeting delivery time and pre-planned budgetary could be a challenge.
  • Heavy documentation in intermediate stages makes it very complex.

4. V-Model Software Development Life Cycle

The V-Model SDLC is also known as the Verification and Validation model. The processes occur sequentially in a V-shape. It is an extended form of Waterfall model with each development stage associated with a testing phase. The V-Model is a highly disciplined model, and as it is similar to the Waterfall model, the development team needs to complete each phase successfully before jumping onto another.

Pros of V-Model SDLC Cons of V-Model SDLC
  • Phase completion occurs one at a time, making it a highly disciplined model.
  • Best suited for smaller projects with all-known requirements.
  • It is easy to understand and adopt.
  • Each phase consists of a separate review process and expected outcome.
  • It is an uncertain and risky model.
  • The model does not support complex and object-oriented projects.
  • It also not suitable for long and continuously changing projects.
  • After reaching the testing phase, no extra functionality can be added to the project.

5. Agile Software Development Life Cycle

It is a combination of iterative and incremental SDLC models, but it concentrates on process adaptability and customer satisfaction. To fulfill the second objective, the model aims to achieve quick product delivery. Under this model, the product is divided into small incremental builds. All these builds go through iterative processes. The time required to complete an iteration is about 1 to 3 weeks.

Pros of Agile SDLC Cons of Agile SDLC
  • It follows a realistic and very practical approach to software development.
  • It demands teamwork.
  • The creation and demonstration of functionalities are rapid.
  • This model requires limited resources.
  • It best suits both the ever-changing as well as fixed projects.
  • It has an easy documentation process with minimum rules and protocols.
  • No exaggerated or detailed planning required.
  • It offers a high degree of flexibility.
  • The model can’t handle complex dependencies of one process over another.
  • It is a risky methodology in terms of sustainability and extensibility.
  • Without the involvement of Agile leader and Agile project management (PM), the model won’t work.
  • As it majorly focuses on delivery management, other factors depend on it: scope, functionality, and the adjustments of the project.
  • Highly dependent on customer interaction. If the wrong direction is followed, the result won’t meet the expected outcome.

6. Prototyping Software Development Life Cycle

The design team aims to produce an early model of the project with limited functionalities. The prototype does not contain the complete functionality or go through harsh testing; it just gives an overview to the clients about what to expect. Their response or feedback helps in the betterment of the developing software. The reason behind its increasing popularity is the understanding of customer requirements at the initial stage of software development.

Pros of Prototyping SDLC Cons of Prototyping SDLC
  • It presents a better way of involving users (before developing the final product).
  • The user gets a better idea of what to expect as the end product.
  • Less time-consuming and highly cost-effective as the defects can be detected in the early stages.
  • Client feedback leads to the betterment of the outcome.
  • Additional or missing functionalities can be detected during software prototyping.
  • High dependency on the prototype.
  • The prototype can confuse the client regarding the final product.
  • This approach can increase the scope of the project beyond the original plan.
  • Reusing the developed prototype for another project might not lead to a technically feasible option.
  • If the efforts invested in developing a prototype is not monitored properly, it could go to waste.

7. RAD Software Development Life Cycle

The RAD (Rapid Application Development) methodology consists of prototype and iterative models without any specific plan. Under this model, the code writing process is included in the software development plan. The client requirements are gathered at various stages of the software development life cycle, including early prototype testing, reuse of the components of the prototype, or through workshops. The model allows for continuous integration at a rapid delivery pace.

Pros of RAD SDLC Cons of RAD SDLC
  • Changes in requirements can be integrated into the project.
  • Software development progress can be easily evaluated.
  • With the use of powerful RAD tools, the iteration time can be shortened.
  • Faster delivery time.
  • Possibility of reusing prototypes or components of a prototype.
  • Reliable customer feedback.
  • Team members should have technical as well as other skills to identify the business requirements.
  • Highly dependent on prototyping skills.
  • Expensive because of the involvement of prototyping and auto-code generation.
  • It suits the products that require scalability and are component-based.
  • It needs user involvement throughout the software development life cycle.

Employ a Certified Application Security Engineer (CASE) professional who can choose a suitable SDLC model depending on the requirements of the project. The CASE program not only imparts comprehensive theoretical knowledge but ensures that the attendee gains all the required technical skills that could be put to immediate use. After completing the course, the professional is well-versed with the secure software development process and, as part of other responsibilities, can incorporate input validation techniques, defense coding practices, authentications, authorizations, and other techniques in the SDLC model.

 

get certified from ec-council
Write for Us