ABSTRACT
Many organizations have a system or software development life cycle (SDLC) to ensure that a carefully
planned and repeatable process is used to develop systems. The SDLC typically includes stages that guide
the project team in proposing, obtaining approval for, generating requirements for, designing, building
and testing, deploying, and maintaining a system. However, many SDLCs do not take security adequately
into consideration, resulting in the production of insecure systems. Even in cases where the SDLC does
have security components, security is oftentimes the sacrificial lamb in a compressed project delivery
timeframe. This neglect brings risk to the organization and creates an operational burden on the
information technology staff, resulting in the need for costly, difficult, and time-consuming security
retrofitting. In a climate where the protection of information is increasingly tied to an organization’s
integrity, security must be strongly coupled with the system development process to ensure that new
systems maintain or improve the current security level of the organization.