topic SDLC definition in Member Support

SDLC definition

Wayne_Evans — Mon, 29 Jul 2019 10:10:02 GMT

Hi All,

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)". This was raised in peer review in a document as slightly unclear.

They are somewhat interchangeable conceptually perhaps but should ISC2 perhaps adopt the ISO definition instead or tweak it to make it not clash?

I just added the acronym twice in my definitions table and expanded on first use in the paragraph to allow context.

Wayne

Re: SDLC definition

wimremes — Mon, 29 Jul 2019 12:06:29 GMT

I'd support the adoption of the ISO definition.

Re: SDLC definition

Steve-Wilme — Mon, 29 Jul 2019 13:03:56 GMT

The two terms are often used interchangeably in practice. The plus side of using the system definition is that you'd consider a wider range of things; the hardware, OS, database, middleware, hosting, business processes and training. Okay you could be just writing a Lambda function or a microservice, but often the undertaking will be non tivial.

Re: SDLC definition

AppDefects — Mon, 29 Jul 2019 13:21:19 GMT

@Wayne_Evans wrote:
I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".

ISO/IEC 27034 is very useful for building and maturing an application security program. The multi-part series represents much more than traditional thinking in terms of an SDLC, Its focus is upon refining the software engineering practices of an organization no matter how they define their SDLC processes. It would great if we could standardize on one definition, but it is not going to happen. SDLC has simply become an abstraction that does not have to be defined within rigid constructs. What is more important is ensuring that security process are built into CI/CD processes of an organizations software lifecycle and then maturing them.

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard.

Re: SDLC definition

dcontesti — Mon, 29 Jul 2019 21:13:23 GMT

@AppDefects wrote:
As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard.

Thanks for the link to Microsoft's document.

Re: SDLC definition

denbesten — Tue, 30 Jul 2019 13:11:12 GMT

This discussion highlights a greater thought. Like many other words, acronyms have multiple definitions. The speaker has the responsibility to include context that makes the intended definition clear. This might include techniques such as linking to MS's Security page (thanks, @AppDefects!), referring to software or system in an earlier sentence, or even expanding the acronym on first use.

Although I generally agree with @wimremes's preference for deferring to standards, one also needs to consider that not all standards are aligned (e.g. ISO 12207 is "...Software Lifecycle...") and that focusing on just one definition, tends to disenfranchise the disciplines that default to the other definitions.

Re: SDLC definition

rslade — Tue, 30 Jul 2019 16:05:57 GMT

> denbesten (Community Champion) posted a new reply in Member Support on

> This discussion highlights a greater thought. Like many other words, acronyms
> have multiple definitions. The speaker has the responsibility to include context
> that makes the intended definition clear.

True.

Ultimately, though, I have been amused by the discussion, as the main point of
SDLC, whether "software" or "system" (and regardless of either), is the
importance of method, structure, planning, assessment, and cyclical recurrence.
"Method and order!" as Hercule Poirot would say ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Great wits are sure to madness near allied. - John Dryden, 1681
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB