Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations

Abstract

There have been many evolutions of the software development lifecycle (SDLC). These differing models have moved software development groups from sequential development to a more agile and iterative development model. Increasing awareness and research focused on the cyber security landscape has resulted in a large push for shifting security left in the SDLC. With security engineering teams engaged earlier and more often throughout the SDLC, security issues will be found and fixed earlier, which increases efficiency while lowering cost and overhead. While this has been an important cultural and infrastructural shift for many technology companies, there is still a gap in this feedback loop that needs to be bridged: the gap between user experience designers and the software, security, and IT/operations engineers. Trade-offs have been made between security and usability---a challenge known as usability versus security. Much of the research that propose how to change these two fields from opposing forces to being cross-functional allies offer simplified solutions but don't go into granular detail about solving the problem. This paper covers the evolution of the SDLC from the Waterfall model through the DevSecOps agile methodology and proposes a new development model: the Technology Development Lifecycle (TDLC). This TDLC model aims to keep designers, software engineers, security engineers, and IT/operations all within a tight feedback loop throughout a continuous integration/continuous development pipeline. We will discuss various workflows, use cases, and technologies that can be used later on to implement a working environment that can enforce the TDLC model.