The cloud further heightens the need for applications to go through a software development lifecycle process
Following are the phases in all software development lifecycle process models:
Planning and requirements analysis
Business and security requirements and standards are being determined.
This phase is the main focus of the project managers and stakeholders.
Meetings with managers, stakeholders, and users are held to determine requirements.
The software development lifecycle calls for all business requirements (functional and nonfunctional) to be defined even before the initial design begins.
Planning for the quality assurance requirements and identification of the risks associated with the project are also conducted in the planning stage.
The requirements are then analyzed for their validity and the possibility of incorporating them into the system to be developed
The defining phase is meant to clearly define and document the product requirements to place them in front of the customers and get them approved.
This is done through a requirement specification document, which consists of all the product requirements to be designed and developed during the project lifecycle.
System design helps in specifying hardware and system requirements and helps in defining overall system architecture.
The system design specifications serve as input for the next phase of the model.
Threat modeling and secure design elements should be undertaken and discussed here.
Upon receiving the system design documents, work is divided into modules or units and actual coding starts.
This is typically the longest phase of the software development lifecycle.
Activities include code review, unit testing, and static analysis.
After the code is developed, it is tested against the requirements to make sure that the product is solving the needs gathered during the requirements phase.
During this phase, unit testing, integration testing, system testing, and acceptance testing are conducted.
Most software development lifecycle models include a maintenance phase as their endpoint.
Operations and disposal are included in some models as a way of further subdividing the activities that traditionally take place in the maintenance phase, as noted in the next sections.
Secure Operations Phase
From a security perspective, once the application has been implemented using software development lifecycle principles, the application enters a secure operations phase.
Proper software configuration management and versioning are essential to application security. Some tools can be used to ensure that the software is configured according to specified requirements.
Following are two such tools:
- Puppet: According to Puppet Labs, Puppet is a configuration management system that allows you to define the state of your IT infrastructure and then automatically enforces the correct state.4
- Chef: With Chef, you can automate how you build, deploy, and manage your infrastructure. The Chef server stores your recipes as well as other configuration data.
- The Chef client is installed on each server, virtual machine, container, or networking device you manage (called nodes).
- The client periodically polls the Chef server for the latest policy and the state of your network. If anything on the node is out of date, the client brings it up to date.5
- The goal of these applications is to ensure that configurations are updated as needed and there is consistency in versioning
This phase calls for the following activities to take place:
- Dynamic analysis
- Vulnerability assessments and penetration testing (as part of a continuous monitoring plan)
- Activity monitoring
- Layer-7 firewalls (such as web application firewalls)
When an application has run its course and is no longer required, it is disposed of.
From a cloud perspective, it is challenging to ensure that data is properly disposed of because you have no way to physically remove the drives. To this end, there is the notion of crypto-shredding.
Crypto-shredding is effectively summed up as the deletion of the key used to encrypt data that’s stored in the cloud.