I hope all is well. Great set of questions around the SDLC. Let's begin with the basics, which is a definition of the SDLC that will set the stage for tackling the phases:
What is the SDLC? - a multistep, iterative process, structured in a methodical way. Used to model or provide a framework for technical and non-technical activities to deliver a quality system which meets and/or exceeds expectations.
Now, on to the phases... So, here is the issue with answering your question: It depends. What I mean by that is that depending on the methodology being used to drive the SDLC, the phases may be slightly different, and the number will vary, as some may be condensed, or exploded out into smaller steps. In general, the steps that are identified and defined are as follows:
The (insert # here) Phases of the SDLC:
a. Requirements Gathering & Analysis - main focus of the project managers and stake holders. Meetings with managers, stake holders and users are held in order to determine the requirements like; Who is going to use the system? How will they use the system? What data should be input into the system? What data should be output by the system? A Requirement Specification document is created which acts as a guideline for the next phase of the model.
non-functional requirements describe how the system works
functional requirements describe what the system should do
b. Design - system and software design is prepared from the requirement specifications which were crafted in the first phase. System Design helps in specifying hardware and system requirements and also helps in defining overall system architecture. The system design specifications serve as input for the next phase of the model. Architecture, Outputs & Interfaces | Data input, flow & output defined related to security architecture | Goal is to transform detailed requirements into a complete, detailed design document focused on how we are going to deliver required functionality
c. Implementation / Coding / Development - work is divided into modules/units and actual coding is started. This is the longest phase of the software development life cycle.
d. Testing - After the code is developed it is tested against the requirements to make sure that the product is actually solving the needs addressed and gathered during the requirements phase. During this phase all types of functional testing like unit testing, integration testing, system testing, acceptance testing are done as well as non-functional testing.
1. Test with data that brackets acceptable usage ranges
2. Test with sanitized, known good data, but NEVER production data
3. IF production data must be used, ALWAYS seek owner approval
4. Test all changes
5. Separation between testing & production must be maintained
6. Management should acknowledge results of tests
e. Deployment - After successful testing the product is delivered / deployed to the customer for their use. Involves the actual installation of the newly-developed system. Puts the project into production. Must resolve problems identified in Integration & testing.
f. Maintenance - Maintain system(s) in production environment
You may also want to check out the following resources:
An interesting project from OWASP - https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet
Another from Microsoft - the Security Development Lifecycle (SDL) -
Hope that helps to clarify a bit. I would go with the stages as I have identified and defined them above for exam purposes. In the real world, a I suggested above, the methodology may create distinctions and variations unique to a project or team.
Good luck with your studying and please let me know if you have any other questions that I can be of help with.