At which phases of the SDLC should security be integrated, and with which activities?

Question

Accepted Answer

Security should be shift-left — integrated early, when fixing issues is cheapest, rather than bolted on at the end. Activities by phase: - Requirements: define security requirements alongside functional ones; write abuse stories 'as an attacker, I want to…' to surface misuse cases. - Design: threat model new features; conduct architecture security reviews before coding begins. - Development: enforce secure coding standards; use IDE-integrated SAST Static Application Security Testing plugins for immediate feedback; require security-focused code review. - Build / CI: automated SAST e.g. Semgrep, SCA Software Composition Analysis — known-vulnerable dependencies, and secrets scanning on every commit. - Test: DAST Dynamic Application Security Testing — testing running code, fuzz testing, and targeted penetration testing for high-risk features. - Deploy: scan Infrastructure-as-Code IaC for misconfigurations; enforce WAF rules; review runtime configuration. - Monitor: centralised logging, anomaly detection, and a vulnerability management process for ongoing issues. The payoff: a bug found at the Design stage costs ~10× less to fix than the same bug found in production.