February 27, 2025
PART 3 – Navigating security challenges: The Secure Software Development Lifecycle meets DevOps
6 Minutes
In part 3 of this series, we’ll describe the post-implementation phases of a secure software development lifecycle, or SSDLC.
Release and deployment
At this phase of the release, the artefacts that are ready are deployed into the production environment. In DevOps, this phase is often called the “package and release” phase. The aim of this phase is to ensure the security and integrity of deliverables are not compromised during deployment. The released artefacts are integrity checked to ensure the pipeline has remained intact throughout the release process. If the release is a first-time launch of a new system, this is the last point at which rigorous acceptance testing, including security tests, can be performed.
The deployment process should be planned and implemented in a way that allows minimum possibility of human error. Infrastructure as code, or IaC, supports this ideology, but there are a wide range of configurations—platform, cloud, application, and database—all of which should be tested and verified from a security perspective.
The release and deployment phase contains processes and procedures for preparing the delivered system or system functionalities for the centralized logging system. The log delivery mechanism and log monitoring process are activated, and the possible Security Operations Center, or SOC, begins actively monitoring the deployed system.
Implementation, testing and verification, and release and deployment are heavily supported by an automated CI/CD pipeline.
Maintenance
Applications require continued attention after they’re put into production. Maintenance can be viewed as part of the development cycle; it is typically called the “monitor” phase in DevOps. This may seem easy enough if application development continues after production deployment, but what happens to maintenance of the deployed application if the team moves on to the next project?
The dynamic nature of the threat landscape and the continuous emergence of new vulnerabilities require active monitoring of the deployed application combined with vulnerability management processes. These processes should be documented and operational, with comprehensive procedures and methodologies for effectively monitoring vulnerabilities across all layers of the technological stack and implementing processes to respond to emerging threats. The SOC (Security Operations Center) monitors the system during the maintenance phase, while the responsible party updates the stack (development, cloud, platform, and so on). The responsibilities of the various parties are defined during previous SSDLC phases.
Feedback loops
There’s a good chance your organization’s development cycle already includes continuous improvement processes built into it. This phase may just be a matter of tweaking existing feedback processes by adding feedback from the required security controls as designed, implemented, and tested. Feedback can be automatically or manually requested or gathered from multiple sources: during project meetings, using agile methodologies, from static analysis reports, and so on.
When the lifecycle ends
An application eventually reaches the end of its lifecycle. It is critical to proactively plan for secure closure of a service—ideally when establishing data handling requirements during the relevant design phase. What happens to data when the service is shut down? If data needs to be transferred or archived, how is this managed? The characteristics of the data and the organization’s data handling procedures inform this process.
Not all systems are equal
There are various methods for implementing security during system development and operation. However, not all systems involve data that necessitates the highest level of security. It is important to assess the right level of security and the relevant controls using a risk-based approach in adherence to the organization’s risk-management processes.
Conclusion
Bringing robust security to daily working habits is rarely straightforward, nor does it always come easily. Leveraging Secure by Design principles during development while maintaining speed and agility may seem daunting. Acknowledging the challenges involved and dedicating the necessary resources, time, and effort can allow an organization to foster a culture of security and ultimately build more resilient and secure systems. This never-ending journey requires collaboration, ongoing education, and a commitment to prioritizing security throughout the entire DevSecOps lifecycle, without forgetting other important security aspects, such as physical security and workstation security.
And in the long run, the rewards of enhanced security, reduced risk, and increased customer trust are well worth resources dedicated to DevSecOps. After all, you cannot outsource responsibility for security.
Furthermore, automation, artificial Intelligence, machine learning, and large language models, or LLMs, are opening new ways of incorporating security into the development lifecycle—but that’s a subject for another blog.
General secure development resources
https://www.microsoft.com/en-us/securityengineering/sdl
https://owasp.org/www-pdf-archive/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf
Requirements resources
Design and implementation resources
Jari Mannonen is working as the Head of Cyber Security Development at Piisku. He has over 20 years of consultancy experience in business-critical information technology and application architecture, with a focus on cybersecurity.
In this article, we have used AI-generated images.