The Secure Development Life Cycle (SDLC)

How security is handled in the development life cycle is frequently a reflection of the industry and its conventional or dictated development methodologies. Some product types, such as aircraft or cars, are simply not amenable to pure Agile development methodologies, because of the complexity and dependencies built into their supply chains, and the absolute nature of the intermediate and final delivery dates of their products.

Regardless, in many cases, development organizations do have some latitude when selecting a development methodology. This section spells out common development approaches and provides guidance on implementing security rigor within those approaches.

When selecting a development methodology, building security in from the beginning means that well-thought-out security, safety, and privacy requirements are elicited, and made traceable throughout the development and update of an IoT device or system. By system, we mean a collection of IoT devices, applications, and services that are integrated to support a business function.

Templated approaches are available that can be applied to any development effort. Microsoft's Security Development Lifecycle (https://www.microsoft.com/en-us/sdl/), for example, incorporates multiple phases: training, requirements, design, implementation, verification, release, and response.

Whichever security life cycle is chosen, it is overlaid on a preferred development approach. Popular methodologies today include waterfall, Spiral, Agile, and DevOps. We discuss each methodology here.