A Survey on the Effectiveness of the Secure Software Development Life Cycle Models

Abstract

Today, a central and critical aspect of cybersecurity problems is related to software problem. Software security is about the understanding of software-induced security risks and how to manage them. To manage software security effectively, we need to understand the process of designing, building, and testing software for security. The System Development Life Cycle (SDLC) process that is currently used to support software development does not address any security components until after the software is developed. From the perspective of software security, the Secure Software Development Life Cycle (SSDLC) is similar to the SDLC but includes security components in its phases. There have been many SSDLC models proposed that are primarily modified from preexisting SDLC models. A study was conducted to survey a selected group of SSDLC models and their effectiveness. The authors first identified four popular SSDLC models used in the IT industry and then analyzed their common characteristics to derive four sets of criteria for comparison. These criteria are Focus Areas of Application, Implementation of Model, Security Implementations and Enhancements, and Security Training and Staff. Overall, the comparison results demonstrate that the Rastogi and Jones model is considered to be an effective one for many IT projects, especially for Agile projects. However, it is worthy to mention that, because of the various types of IT projects, one specific model cannot be applied for use in all types of IT projects. For an IT project operated in Waterfall, the BSI Seven Touchpoints model can be an excellent alternative.