SDLC Phases

---

I'm preparing for my CISSP exam and I want to get some clarification on the SDLC phases. Can someone verify for me that these are the SDLC phases or if I'm getting it wrong ??

Phase 1 Project and Initiation
Phase 2 Functional Requirements definition
Phase 3 System design specification
Phase 4 Development & Implementation
Phase 5 Documentation & Common program controls
Phase 6 Testing and Evaluation
Phase 7 Transition to Production

@wesley-jones,

From what I can find, there are 6 phases rather than 7.

• Planning and requirement gathering – business requirements are gathered.
• Architecture and Design – system and software design is prepared according to the requirements gathered in the first phase.
• Test Planning – a test strategy is determined to decide what to test and how to test.
• Coding and Implementation – coding is done by dividing system design into work modules.
• Testing and Deployment – the developed product is tested against the actual requirements to check that it serves the purpose.
• Release and Maintenance – the final product is released and time to time maintenance is done to fix issues that arise.

According to the CISSP Exam-Outlines Domain Objective 8.1, you're to Understand and integrate security in the Software Development Life Cycle (SDLC) using:

• Development methodology
• Change Methodology
• Maturity Models
• Integrated Product Team
• Operation and maintenance

Adam Gordon may have a correction to what I've posted here...but this should get you started.

Wesley,

I hope all is well. Great set of questions around the SDLC. Let's begin with the basics, which is a definition of the SDLC that will set the stage for tackling the phases:

What is the SDLC? - a multistep, iterative process, structured in a methodical way. Used to model or provide a framework for technical and non-technical activities to deliver a quality system which meets and/or exceeds expectations.

Now, on to the phases... So, here is the issue with answering your question: It depends. What I mean by that is that depending on the methodology being used to drive the SDLC, the phases may be slightly different, and the number will vary, as some may be condensed, or exploded out into smaller steps. In general, the steps that are identified and defined are as follows:

The (insert # here) Phases of the SDLC:

a. Requirements Gathering & Analysis - main focus of the project managers and stake holders. Meetings with managers, stake holders and users are held in order to determine the requirements like; Who is going to use the system? How will they use the system?  What data should be input into the system?  What data should be output by the system?  A Requirement Specification document is created which acts as a guideline for the next phase of the model. 

NOTE:

non-functional requirements describe how the system works

functional requirements describe what the system should do

b. Design - system and software design is prepared from the requirement specifications which were crafted in the first phase. System Design helps in specifying hardware and system requirements and also helps in defining overall system architecture. The system design specifications serve as input for the next phase of the model. Architecture, Outputs & Interfaces | Data input, flow & output defined related to security architecture | Goal is to transform detailed requirements into a complete, detailed design document focused on how we are going to deliver required functionality

c. Implementation / Coding / Development -  work is divided into modules/units and actual coding is started. This is the longest phase of the software development life cycle.

d. Testing - After the code is developed it is tested against the requirements to make sure that the product is actually solving the needs addressed and gathered during the requirements phase. During this phase all types of functional testing like unit testing, integration testing, system testing, acceptance testing are done as well as non-functional testing.

Testing guidance:
	
1. Test with data that brackets acceptable usage ranges
2. Test with sanitized, known good data, but NEVER production data
3. IF production data must be used, ALWAYS seek owner approval
4. Test all changes
5. Separation between testing & production must be maintained
6. Management should acknowledge results of tests


e. Deployment - After successful testing the product is delivered / deployed to the customer for their use. Involves the actual installation of the newly-developed system. Puts the project into production. Must resolve problems identified in Integration & testing.

f. Maintenance - Maintain system(s) in production environment

You may also want to check out the following resources:

An interesting project from OWASP - https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet

Another from Microsoft - the Security Development Lifecycle (SDL) -
https://www.microsoft.com/en-us/sdl

Hope that helps to clarify a bit. I would go with the stages as I have identified and defined them above for exam purposes. In the real world, a I suggested above, the methodology may create distinctions and variations unique to a project or team.

Good luck with your studying and please let me know if you have any other questions that I can be of help with.

Cheers !!

Adam

@Adam-Gordon

Thank you for your reply regarding the SDLC phases. The definition and explanation that you gave was great. I actually wrote down the same explanation in your video presentation. So here is the thing that brought on this question. I recently took my CISSP exam and failed. One of the domains that I need improvement on is the Security Architecture & Engineering. Specifically one of the questions that got me is with the SDLC phases. I remember asked about specifically how do you implement Certification & Accreditation when for example when building an application. And it asked with C&A where do you implement Certification in those phases that you listed and Certification. Also the names of the phases what different to. It wasn't called what you listed in your response however I kind of new what they were talking about. So I guess to add to my question can you give me examples when implementing the C&A process to an application or widget. In the a high level general sense

Wesley,

I hope all is well. I am sure that based on your questions, our discussion to get you the right information, and your hard work, you will be successful the next time around.

If you take a look at the other question that you posted regarding the scenario for addressing C&A in the lifecycle, I have answered your question there.

As you indicated, and I believe that I have also discussed both in the episodes and here, the lifecycle phase names may be different (on the exam and/or in real life), it is the essence of the activities that take place by phase that should inform your answers and help you to understand what the right answer is if you are asked about the phases.

Hopefully that helps to make sense out of things.

Good Luck !!!

Adam