System Development Security Methodology

Many organizations have a system or software development life cycle (SDLC) to ensure that a carefully

planned and repeatable process is used to develop systems. The SDLC typically includes stages that guide

the project team in proposing, obtaining approval for, generating requirements for, designing, building

and testing, deploying, and maintaining a system. However, many SDLCs do not take security adequately

into consideration, resulting in the production of insecure systems. Even in cases where the SDLC does

have security components, security is oftentimes the sacrificial lamb in a compressed project delivery

timeframe. This neglect brings risk to the organization and creates an operational burden on the

information technology staff, resulting in the need for costly, difficult, and time-consuming security

retrofitting. In a climate where the protection of information is increasingly tied to an organization’s

integrity, security must be strongly coupled with the system development process to ensure that new

systems maintain or improve the current security level of the organization.