π What is the Security Development Lifecycle?
The Security Development Lifecycle (SDL) is a structured approach to embedding security into every phase of software development, not bolting it on at the end.
π§ Core idea: Build secure software by design, not by accident.
SDL ensures that security risks are identified early, reduced continuously, and validated before release.
𧩠SDL Phases (High-Level View)
| Phase | Goal | Key Question |
|---|---|---|
| π§ Planning | Define security expectations | What can go wrong? |
| ποΈ Design | Architect securely | How do we prevent abuse? |
| π¨βπ» Development | Write secure code | Are we coding safely? |
| π§ͺ Testing | Find weaknesses | What did we miss? |
| π Release | Ship securely | Is it safe to deploy? |
| π Maintenance | Stay secure | What changed or broke? |
ποΈ SDL Explained with a Real DevOps Example
π― Scenario
You are building a customer-facing web application:
- Frontend: React
- Backend: Java API
- CI/CD: GitHub Actions
- Cloud: AWS
π§ 1. Planning Phase
π Objective: Identify risks before writing code
Activities
- Identify sensitive data (PII, credentials)
- Define compliance needs
- Decide security standards
Example
- App stores user emails and passwords
-
Decision:
- β Passwords must be hashed
- β TLS mandatory
- β No secrets in GitHub repo
Risk Identified: Credential leakage
Mitigation: Use secrets manager + hashing
π’ Security is cheaper here than anywhere else
ποΈ 2. Design Phase
π§ Objective: Prevent architectural flaws
Activities
- Threat modeling
- Secure architecture design
- Define trust boundaries
Example
- API exposed publicly
- Database private subnet
- JWT-based authentication
π₯ Threat Identified
Threat: API abuse via unauthenticated requests
π© Mitigation
Use OAuth2 + rate limiting + API Gateway
π¨βπ» 3. Development Phase
π§ͺ Objective: Write secure code by default
Activities
- Secure coding standards
- Dependency management
- Static code analysis
Example
- Developer commits Java code
-
GitHub Action runs:
- SAST scan
- Dependency vulnerability scan
- name: Run security scan
run: mvn verify
π₯ Bad Practice
String query = "SELECT * FROM users WHERE id=" + userId;
π© Secure Practice
PreparedStatement stmt = connection.prepareStatement(
"SELECT * FROM users WHERE id = ?"
);
π§ͺ 4. Testing Phase
π Objective: Break the app before attackers do
Activities
- Dynamic testing (DAST)
- Penetration testing
- Fuzz testing
Example
- App deployed to staging
- Automated scanner detects:
Vulnerability: XSS in search endpoint
Severity: High
π’ Fix applied before production
π’ No customer impact
π 5. Release Phase
π‘οΈ Objective: Ship with confidence
Activities
- Security sign-off
- Secrets verification
- Infrastructure hardening
Example
-
CI/CD checks:
- β Hardcoded secrets
- β Open security groups
- β Missing HTTPS
π’ Release blocked until fixed
π’ Security becomes a gate, not an afterthought
π 6. Maintenance Phase
π Objective: Stay secure over time
Activities
- Patch dependencies
- Monitor logs
- Respond to incidents
Example
- New CVE published for a library
- GitHub Dependabot raises PR
- Patch merged within hours
π’ Continuous security
π’ Reduced blast radius
π§ Why SDL Actually Works
| Benefit | Impact |
|---|---|
| π’ | Reduces breaches |
| π΅ | Lowers cost of fixes |
| π | Improves compliance |
| π΄ | Prevents last-minute panic |
π₯ SDL in One Sentence
SDL is the discipline of treating security as a feature, not a bug.
π§ Final Takeaway for DevOps Engineers
- If security is only checked **after deployment**, you are already too late.
- Secure software is not tested into existence. It is designed that way.
Top comments (0)