ABSTRACT
Many organizations have a System or Software Development Lifecycle (SDLC) to ensure that a
carefully planned and repeatable process is used to develop systems. The SDLC typically includes
stages that guide the project team in proposing, obtaining approval for, generating requirements for,
designing, building and testing, deploying, and maintaining a system. However, many SDLCs do not
take security into consideration adequately, resulting in the productionalization of insecure systems.
Even in cases where there are security components in the SDLC, security is oftentimes the sacrificial
lamb in a compressed project delivery timeframe. This neglect brings risk to the organization, and
creates an operational burden on the IT staff, resulting in the need for costly, difficult, and time-
consuming security retrofitting. In a climate where the protection of information is increasingly tied
to an organization’s integrity, security needs to be strongly coupled with the system development
process to ensure that new systems maintain or improve the current security level of
the organization.