Secure SDLC
5 min read Quiz at the end
SSDLC integrates security at every phase: threat model, SAST, DAST, secrets scan, container scan in CI/CD.
Secure Software Development Lifecycle (SSDLC)
# Security integrated at every development phase
# 1. Planning
# Threat model the feature
# Security requirements defined
# Privacy impact assessment
# 2. Design
# Security architecture review
# Least privilege design
# Cryptographic approach selected
# 3. Development
# Secure coding standards
# Peer code review for security
# IDE security plugins (Snyk, SonarLint)
# 4. Testing
# SAST: Bandit, Semgrep, Checkmarx
# DAST: OWASP ZAP against staging
# Dependency scan: pip-audit, npm audit
# Secret scanning: Gitleaks, detect-secrets
# 5. Deployment
# Security configuration review
# Container image scan: Trivy
# Infrastructure as Code scan: Checkov (Terraform)
checkmark scan -d ./terraform --check CKV_AWS_*
# 6. Monitoring
# SIEM alerts on anomalies
# Penetration test annually
# Bug bounty programme
# Automated CVE scanning
# DevSecOps CI pipeline
# code push -> SAST -> deps scan -> secrets scan -> build
# -> container scan -> DAST against staging -> deploy