What is a Secure Development Lifecycle (SDLC)?

Question

Accepted Answer

A **Secure Development Lifecycle (SDLC)** integrates security into every phase of software development — from requirements through design, coding, testing, deployment, and maintenance — rather than treating it as an afterthought. It embodies "shift left" and "security by design."

## Security throughout the lifecycle

```text
Integrate security into EVERY phase (not just at the end):
  REQUIREMENTS → define security requirements; consider compliance
  DESIGN → THREAT MODELING; secure architecture; security review of the design
  DEVELOPMENT → secure coding practices; code review; SAST in the IDE/CI
  TESTING → security testing (SAST, DAST, dependency scanning, pen testing)
  DEPLOYMENT → secure configuration; secrets management; hardening
  MAINTENANCE → patching, monitoring, incident response, ongoing scanning
→ "shift left" — address security EARLY (cheaper than fixing after a breach).
```

## Why shift left

```text
The cost to fix a security flaw GROWS dramatically the later it's found:
  caught in design/code (cheap) << found in testing << exploited in PRODUCTION
  (very expensive: breach, damage, emergency response)
→ Building security in early (vs bolting it on / fixing breaches) is far more effective
  and cheaper.
```

## Practices that support an SDLC

```text
✓ Security TRAINING for developers; secure coding standards
✓ Automated security in CI/CD (SAST, dependency scanning, secret scanning) → catch per change
✓ Threat modeling and security review at design; security testing before release
✓ Security CHAMPIONS in teams; security as part of "definition of done"
✓ Continuous monitoring, patching, and improvement in production
→ Make security a continuous, integrated part of how software is built (DevSecOps).
```

## Why it matters

Understanding the Secure Development Lifecycle is valuable senior-level knowledge because it represents the **mature, effective approach of integrating security throughout development** rather than as an afterthought, so it's important for building secure software systematically.

An SDLC integrates security into **every phase** — requirements (defining security needs), design (threat modeling, secure architecture), development (secure coding, SAST), testing (security testing), deployment (secure configuration, hardening), and maintenance (patching, monitoring, incident response) — embodying **"security by design"** and **"shift left."** Understanding this comprehensive integration is the key insight: security isn't a single phase or an add-on but a continuous concern woven through the whole lifecycle.

Understanding **why shift left** matters — that the cost to fix a security flaw grows dramatically the later it's found (cheap in design/code, expensive when exploited in production with a breach and emergency response) — provides the compelling economic and effectiveness rationale for addressing security early rather than reacting to breaches.

Understanding the **supporting practices** — security training and standards for developers, **automated security in CI/CD** (SAST, dependency scanning, secret scanning catching issues per change), threat modeling and security review at design, security testing before release, security champions and security in the "definition of done," and continuous production monitoring and patching — reflects how an SDLC is implemented in practice (often called DevSecOps).

This represents the mature approach to security that effective organizations adopt.

Since building secure software effectively requires integrating security throughout development (not as an afterthought) and the SDLC/shift-left approach is far more effective and cheaper than reactive security, and since understanding it reflects mature security practice, understanding the Secure Development Lifecycle is valuable senior-level knowledge — the systematic, integrated approach to building secure software, embodying security-by-design and shift-left, and reflecting the comprehensive security maturity (DevSecOps) expected for senior roles who shape how teams build software securely throughout the development process.