ABSTRACT
Software development is a constant balancing act among functional requirements, business drivers, deadlines, limited resources, risk, and flexibility. This balancing act is governed by the Software Development Life Cycle (SDLC) methodology selected for the software development effort. Unfortunately, many of the SDLC methodologies in use today do not recognize security as a functional requirement that must be a part of any development effort. The following major SDLCs do not have a concrete notion of security:
Waterfall n Incremental Build n Spiral n Rational Unified Process (RUP) n Extreme Programming (XP) n
Within these SDLC methodologies, security is treated as just one more nonfunctional requirement. And experience has taught that nonfunctional requirements are often the first thing to go in the face of budget cuts, scarce resources, and tighter schedules. Eliminating security controls from a software development effort will increase the risks associated with that software development project.
