Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Wayne_Evans
Newcomer III
‎07-29-2019 06:10 AM
‎07-29-2019 06:10 AM

SDLC definition

Hi All, 

 

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  This was raised in peer review in a document as slightly unclear.  

 

They are somewhat interchangeable conceptually perhaps but should ISC2 perhaps adopt the ISO definition instead or tweak it to make it not clash?

 

I just added the acronym twice in my definitions table and expanded on first use in the paragraph to allow context.

Wayne

Reply
0 Kudos
6 Replies
wimremes
Contributor III
‎07-29-2019 08:06 AM
‎07-29-2019 08:06 AM

I'd support the adoption of the ISO definition.


Sic semper tyrannis.
Reply
0 Kudos
Steve-Wilme
Advocate II
‎07-29-2019 09:03 AM
‎07-29-2019 09:03 AM

The two terms are often used interchangeably in practice.  The plus side of using the system definition is that you'd consider a wider range of things; the hardware, OS, database, middleware, hosting, business processes and training.  Okay you could be just writing a Lambda function or a microservice, but often the undertaking will be non tivial.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
AppDefects
Community Champion
‎07-29-2019 09:20 AM
‎07-29-2019 09:20 AM

@Wayne_Evans wrote:

I know this is so low level and really context-related but I have been referencing both the SDLC as we been taught as meaning the "Software development lifecycle" but also been referencing ISO 27034 where the definition for SDLC is "Systems Development Life Cycle(s)".  

ISO/IEC 27034 is very useful for building and maturing an application security program. The multi-part series represents much more than traditional thinking in terms of an SDLC, Its focus is upon refining the software engineering practices of an organization no matter how they define their SDLC processes. It would great if we could standardize on one definition, but it is not going to happen. SDLC has simply become an abstraction that does not have to be defined within rigid constructs. What is more important is ensuring that security process are built into CI/CD processes of an organizations software lifecycle and then maturing them.

 

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 

Reply
dcontesti
Community Champion
‎07-29-2019 05:13 PM
‎07-29-2019 05:13 PM

@AppDefects wrote:

As a CSSLP we need to move the bar forward beyond traditional SDLC thinking and begin to standardize on Agile and CI/CD. Delivering quality (i.e., secure) software in a continuous delivery cycle should be the goal of our "SDLC" and whatever that means to an organization. Having said that ambiguous statement I would much rather retire the use of the term SDLC.

 

Btw. if anyone can't buy the standard then check out Microsoft's Security Development Lifecycle documentation because it is a reflection of it the standard. 

Thanks for the link to Microsoft's document.

 

 

Reply
0 Kudos
denbesten
Community Champion
‎07-30-2019 09:11 AM
‎07-30-2019 09:11 AM

This discussion highlights a greater thought.  Like many other words, acronyms have multiple definitions. The speaker has the responsibility to include context that makes the intended definition clear.  This might include techniques such as linking to MS's Security page (thanks, @AppDefects!), referring to software or system in an earlier sentence, or even expanding the acronym on first use.

 

Although I generally agree with @wimremes's preference for deferring to standards, one also needs to consider that not all standards are aligned (e.g. ISO 12207 is "...Software Lifecycle...") and that focusing on just one definition, tends to disenfranchise the disciplines that default to the other definitions.

 

 

Reply
0 Kudos
rslade
Influencer II
‎07-30-2019 12:05 PM
‎07-30-2019 12:05 PM

> denbesten (Community Champion) posted a new reply in Member Support on

> This discussion highlights a greater thought.  Like many other words, acronyms
> have multiple definitions. The speaker has the responsibility to include context
> that makes the intended definition clear.

True.

Ultimately, though, I have been amused by the discussion, as the main point of
SDLC, whether "software" or "system" (and regardless of either), is the
importance of method, structure, planning, assessment, and cyclical recurrence.
"Method and order!" as Hercule Poirot would say ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Great wits are sure to madness near allied. - John Dryden, 1681
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
0 Kudos