ABSTRACT
During the second phase of the security development lifecycle, security considerations are brought into the software development lifecycle to ensure that all threats, requirements, and potential constraints on functionality and integration are considered (see Figure 4.1). At this stage of the SDL, security is looked at more in terms of business risks, with inputs from the software security group and discussions with key stakeholders in the SDLC. Business requirements are defined in the security terms of confidentiality, integrity, and availability, and needed privacy controls are discussed for creation, transmission, and personally identifiable information (PII). SDL policy and other security or privacy compliance requirements are also identified at this stage of the SDL. This ensures that security and privacy discussions are performed as part of, rather than separate from, the SDLC, so that there are solid understandings among project personnel about business decisions and their risk implications for the overall development project. A cost analysis for development and support costs required for security and privacy consistent with business needs is also done as part of the requirements analysis. As discussed previously,
the planning and awareness of security, privacy, and risk management early in the SDLC through the proper used of an SDL will result in significant cost and time savings.
