cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer III

SDLC definition

Hi All, 

 

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  This was raised in peer review in a document as slightly unclear.  

 

They are somewhat interchangeable conceptually perhaps but should ISC2 perhaps adopt the ISO definition instead or tweak it to make it not clash?

 

I just added the acronym twice in my definitions table and expanded on first use in the paragraph to allow context.

Wayne

6 Replies
Highlighted
Contributor I

Re: SDLC definition

I'd support the adoption of the ISO definition.

Highlighted
Advocate I

Re: SDLC definition

The two terms are often used interchangeably in practice.  The plus side of using the system definition is that you'd consider a wider range of things; the hardware, OS, database, middleware, hosting, business processes and training.  Okay you could be just writing a Lambda function or a microservice, but often the undertaking will be non tivial.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Highlighted
Community Champion

Re: SDLC definition


@Wayne_Evans wrote:

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  


ISO/IEC 27034 is very useful for building and maturing an application security program. The multi-part series represents much more than traditional thinking in terms of an SDLC, Its focus is upon refining the software engineering practices of an organization no matter how they define their SDLC processes. It would great if we could standardize on one definition, but it is not going to happen. SDLC has simply become an abstraction that does not have to be defined within rigid constructs. What is more important is ensuring that security process are built into CI/CD processes of an organizations software lifecycle and then maturing them.

 

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 

Highlighted
Community Champion

Re: SDLC definition


@AppDefects wrote:

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 


Thanks for the link to Microsoft's document.