The Security Development Lifecycle: Where Secure Software Begins
November 6th, 2025
What is the Security Development Lifecycle (SDL)?
During the Software Development Lifecycle (SDLC), it is important to build security into the software itself, instead of building security on top of the new application. You can't have a secure SDLC without security being considered at every stage, which is the purpose of the SDL. The SDLC defines the overall phases like planning, coding, and deployment, while the SDL ensures security is built into every one of those phases from the beginning, rather than being a separate step at the end.
In this article, we will break down the phases, deliverables, tools, and methodologies that are a part of the SDL.
Phase 1: Security Assessment
Security Assessment, the first phase of the SDL, focuses on Identifying the products risk profile, planning SDL activities and security milestones. During this phase, security professionals try to answer four crucial questions: which regulatory/policy compliance requirements apply to the product, what are the ways the product needs to maintain CIA (confidentiality, integrity, availability), how critical is the information the product stores and the product itself to the customer’s mission, and what threats exist in the products operational environment?
This phase has 7 key deliverables:
Risk Profile- Estimate the real product cost from all perspectives and identify liabilities.
Threat Profile- Define expected threats and plan for mitigations.
SDL Project Outline- Map SDL activities to the development timeline.
Regulatory and Legal Requirements Analysis- Formal sign-off on all legal compliance areas.
Certification Requirements- List all foreseeable operational/product certifications that will need to be obtained to deploy the product.
Metrics Template- Define cadence and data for reporting SDL progress (Weeks until security team involvement, percent of stakeholders engaged in SDL activities, percent of SDL tasks mapped to development tasks, and percent of security objectives achieved).
Third-Party Software List- Identify dependencies and compliance impacts.
Phase 1 sets the foundation for the entire SDL and establishes security as a quality attribute early in development. The Security Assessment phase defines the stakeholders, milestones, and expectations for the remainder of the project.
Phase 2: Architecture Analysis
The “Architecture Analysis” phase of the SDL integrates security considerations into the SDLC. Its goal is to ensure threats, requirements, and constraints are analyzed from both technical and business perspectives. Security here is viewed as a business risk, focusing on confidentiality, integrity, and availability (CIA), as well as privacy and policy compliance requirements.
This phase has 5 key deliverables:
Business requirements document- A CIA-oriented document outlining “must-have“ SDL activities.
Threat modeling artifacts- Includes Data Flow Diagrams (DFDs), reports, and threat lists.
Architectural Threat Analysis- Examines risk specific to the product’s environment. It is business risk oriented and focuses on risk prioritization.
Risk Mitigation Plan- Defines risk acceptance and tolerance levels.
Policy Compliance Report- An analysis of the adherence to company security policies.
Threat analysis also takes place during this phase using threat modeling frameworks like STRIDE (threat categorization/analysis), DREAD (threat rating), and PASTA (attack modeling). There are three simple steps for using STRIDE to perform threat analysis. First, decompose the system into relevant components. Second, evaluate each component for susceptibility to threats as defined by STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privileges). Third, mitigate weaknesses that are discovered on the system. In short, the key outcomes for this phase of the SDL are threat modeling and attack surface analysis reports, defining security architecture design guidelines, continuous policy and privacy compliance verification, and defining risk mitigation strategy.
Phase 3: Design and Development
The goal of this phase is to enforce secure software design that integrates policy compliance, threat modeling, testing, security design review, and privacy into the SDLC and to introduce software design specifications formed from best practices for secure software deployment. Security activities mapped to this stage of the SDL include: policy compliance analysis, security testing (static, dynamic, fuzz, and manual), reviewing attack surfaces and threat models, the privacy implementation assessment, and vulnerability remediation.
This phase has 10 key deliverables:
Comprehensive Security Test Plans- Mapping types of tests required at different SDLC stages.
Design Security Review- Modifications to design of the software product based on security findings.
Updated Threat Model Artifacts- Continue to identify threats to the software and update threat model artifacts.
Privacy Implementation Assessment- Defines how the application will interact with user data (Is it collecting user data? What kind of data is being collected? Does the application have the user’s consent to store PII? etc.).
Security Test Execution Report- Reviews progress of executed test cases.
Security Test Report- Findings from security tests.
Remediation Report- Status on the security posture of the product after test-based remediations have taken place.
Policy Compliance Report- An analysis of adherence to company security policy.
Privacy Compliance Report- Ensure that recommendations from the privacy implementation assessment were implemented.
Phase 3 integrates security and privacy into the SDLC through policy alignment, threat model updates, and rigorous testing. This phase emphasizes testing, tuning, and validating software for ensuring security and privacy before release.
Phase 4: Ship
Phase 4, “Ship,” represents the final stage of the Software Development Life Cycle and the SDL. It ensures that a software product is secure, compliant, and ready for release.
This phase has 5 key deliverables:
Final Policy Compliance Analysis- Analysis of adherence to company security policy.
Final Security Test Reports- Finding from final security tests.
Remediation Reports- Final evaluation of the security posture of the product.
Customer Engagement Framework- Framework for determining how to disclose security information to customers.
Final Privacy and Security Review- Required formal sign-off by security/privacy management.
Open Source Licensing Review- Ensure all license conditions are satisfied.
Phase 4 confirms the product is ready for secure release and shipment. It finalizes all technical, legal, and privacy controls and transitions the software into post-release support.
Post-Release Support
After release, responsibility for the product’s security shifts to coordinated organization-wide processes, while remaining anchored by the central software security group. Post-release support activities include drafting an external vulnerability disclosure response process, maintaining operational certifications, scheduling third-party security reviews, and determining security strategy for handling post-release events like systems becoming EOL and mergers and acquisitions.
Summary
In conclusion, integrating security throughout the Software Development Lifecycle is not just a best practice—it is a necessity in today’s threat landscape. By embedding the Security Development Lifecycle (SDL) into every phase of the SDLC, organizations can proactively identify and mitigate vulnerabilities before they become costly issues. This approach fosters the creation of resilient, trustworthy software and ensures that security is not an afterthought, but a foundational element of the development process. Ultimately, a secure SDLC is only achievable when security is treated as an integral component from inception to deployment.
— Ben Skinner