Information Security Development Lifecycle

For both Security Services and Applications the development and deployment of security mechanisms should be integrated with the development lifecycle of IT systems. Organisations often rely on security as being the ethical hacking performed at the end of a development. Unfortunately, this is often too late to integrate the appropriate security technology and processes into the technical solution being developed. Business executives then often have the decision of stopping the launch of a business service or putting the business at risk.

Security needs to be integrated from the initiation of a business project (not just an IT project) to deliver a product or service for the business. Even before the IT solution is defined a core set of security controls can be specified which is then included in the business case for development of a solution. To successfully manage delivery of projects, the majority of businesses have control points throughout a project lifecycle. These control points assure the solution being proposed and assess the risks to delivery of the project. The same control points can be used to control security assurance at each stage of development.

The diagram below uses the Security Bastion Project Lifecycle Model to show the control points used for approval before the next stage of a project proceeds. The Project Lifecycle Model is not meant to dictate the actual engagement model being used for deployment of a project.

The lifecycle model can be used with a traditional water-fall development approach or with other development methods such as the Security Bastion SECBP. It can also be used to describe IT infrastructure projects or outsourcing transformation projects.

Project-Lifecycle-Model

Figure 8: Project Life cycle Model

A security development method is sometimes defined for the development of applications but the development of infrastructure services should also comply with the same method of development.  Infrastructure development often includes the development of tools and scripts for the operation of the solution.