Software Development Life Cycle (SDLC)

The Seven Phases of the Software Development Life Cycle (SDLC)

目前使用的SDLC模型有很多，每个模型都有其独特的优点和局限性. Some SDLC approaches incorporate the agile methodology, which allows for more flexibility and incremental iteration, 而其他人则依赖于更线性和顺序的瀑布方法.

每个SDLC框架往往由五到七个不同的阶段组成, 这取决于所涉及的公司及其软件开发的具体目标. The core SDLC phases are usually concerned with software design, development, testing, and deployment.

Here are the seven most common phases found in an SDLC approach:

1. Planning. 产品经理和项目经理开会讨论项目的范围. At this stage, they may create early written deliverables such as project plans, schedules, cost estimates, and procurement requirements.
2. Requirements. 技术专业人员开始从业务涉众那里收集需求. If a previous system exists, 他们检查它的缺陷，并确定需要在新版本中解决的任何补救措施. 如果软件是全新的，他们将简单地继续定义它的需求. In either case, 目标是创建最终产品想要达到的目标的详细定义.
3. Design and prototyping. 软件开发人员将他们收集到的需求转换成软件设计计划. 它们概述了软件的体系结构，并指定了开发过程中涉及的技术以及团队资源, time frames, and budget that are required to create it.
4. Development. Developers create the software, 让涉众参与，以确认它满足了期望的需求. At the completion of this phase, 企业应该有可以测试和部署的功能性软件.
5. Testing. This crucial phase of the SDLC focuses on ensuring a quality product, employing a range of testing methods including code quality, unit testing, integration testing, performance testing, and security testing to ensure the software performs as expected. 在开发阶段未检测到的缺陷或错误将在最终产品部署之前进行检查和修复.
6. Deployment. 在解决了所有问题之后，软件就可以投入生产. This process is automated in some larger enterprise environments, 然而，在这一阶段完成之前，一些处于特殊监管行业的中小型组织或企业可能需要额外的最后签字步骤.
7. Operations and maintenance. 在软件部署之后，将持续监控潜在的错误、缺陷或缺陷 security vulnerabilities. 这个阶段可以作为软件循环回到SDLC的早期步骤, now in production, is continually refined and improved.

Application Security and the Software Development Life Cycle (SDLC) 

虽然企业通常希望尽快推出新代码，以最大化市场机会, 这种策略有时不能适当地考虑到安全问题. 一些企业可能会发现意想不到的漏洞，这些漏洞有可能严重危及他们自己的企业数据以及客户的数据. 近年来出现在报纸头条上的一些最严重的违规行为，是因为相关企业没有充分防范 prioritized security concerns early enough in the SDLC.

As awareness of the importance of application security has increased in recent years, 越来越多的公司开始在SDLC中更早地考虑安全问题. In doing so, they can better mitigate potential risks, detect bugs sooner, identify user experience problems earlier, 并且降低了在软件开发过程中修复所有这些问题所涉及的成本. DevSecOps, 流行的DevOps软件设计和部署概念的一种以安全为重点的演变, seeks to 显式地将应用程序安全性最佳实践早先嵌入到SDLC中.

Software Development Life Cycle Best Practices

1. Address security early on. Cybercriminals are increasingly targeting web applications, so businesses must prioritize security concerns earlier in the SDLC. 如果所讨论的软件是任务关键型的，则尤其如此. Tapping the benefits of a web application security scanner and conducting other forms of web application security testing earlier in the process helps your business reduce risk, resolve emerging issues before they become major headaches, and cut costs.
2. Consider a DevSecOps approach. 应用程序安全应该是整个安全部门的共同责任， IT operations, 和开发团队，而不是在SDLC结束时(通常在测试阶段)被降级到一个单独的团队, as listed above). 将应用程序安全性留在SDLC中可以帮助您在不影响速度的情况下安全地部署软件.
3. Encourage collaboration. Effective collaboration is crucial, 尤其是当不是每个人都说同样的语言或从同样的角度看待问题时. For example, security teams consider vulnerabilities major threats to the business, 而他们的开发人员同行往往主要将它们视为需要修复的bug. 创建公共工具和工作空间，让不同的团队可以聚集在一起进行协作, discuss issues early on, 培养一种同志精神将对确保SDLC的成功大有帮助.

SDLC是设计和创建软件的有效方法, 但是，当所有涉众对安全问题进行优先级排序，并在流程的早期精心组织安全测试时，它就会显得格外耀眼. 通过对SDLC采取安全意识的方法，并鼓励团队之间的有效协作, 您的企业可以在更短的时间内将高质量的软件推向市场，同时减少过程中的麻烦.

Read More About the SDLC

Learn about Rapid7's Web Application Security Product

Honing Your Application Security Chops on DevSecOps

DevOps Security: Latest News from the Blog