A Survey on the Effectiveness of the Secure Software Development Life Cycle Models

  • Jing-Chiou LiouEmail author
  • Saniora R. Duclervil


Today, a central and critical aspect of cybersecurity problems is related to software problem. Software security is about the understanding of software-induced security risks and how to manage them. To manage software security effectively, we need to understand the process of designing, building, and testing software for security. The System Development Life Cycle (SDLC) process that is currently used to support software development does not address any security components until after the software is developed. From the perspective of software security, the Secure Software Development Life Cycle (SSDLC) is similar to the SDLC but includes security components in its phases. There have been many SSDLC models proposed that are primarily modified from preexisting SDLC models. A study was conducted to survey a selected group of SSDLC models and their effectiveness. The authors first identified four popular SSDLC models used in the IT industry and then analyzed their common characteristics to derive four sets of criteria for comparison. These criteria are Focus Areas of Application, Implementation of Model, Security Implementations and Enhancements, and Security Training and Staff. Overall, the comparison results demonstrate that the Rastogi and Jones model is considered to be an effective one for many IT projects, especially for Agile projects. However, it is worthy to mention that, because of the various types of IT projects, one specific model cannot be applied for use in all types of IT projects. For an IT project operated in Waterfall, the BSI Seven Touchpoints model can be an excellent alternative.


System Development Life Cycle (SDLC) Secure Software Development Life Cycle (SSDLC) Cybersecurity IT project management 


  1. 1.
    Identity Theft. Accessed 24 Feb 2020
  2. 2.
    Massive Smart Home Breach Leads To Consumer Security Concerns. Accessed 24 Feb 2020
  3. 3.
    Ring Throws Customers Under The Bus After Data Breach. Accessed 24 Feb 2020
  4. 4.
    H.D. Benington, Production of large computer programs, in Proceedings, ONR Symposium on Advanced Programming Methods for Digital Computers, (1956), pp. 15–27Google Scholar
  5. 5.
    W.W. Royce, Manage the development of large software systems, proceedings. IEEE WESCON 26, 1–9 (1970). Accessed 24 Feb 2020Google Scholar
  6. 6.
    B.W. Boehm, A Spiral Model of Software Development and Enhancement, Computer (1988), pp. 61–72Google Scholar
  7. 7.
  8. 8.
    K. Beck et al. Manifesto for Agile Software Development. Accessed 24 Feb 2020
  9. 9.
    J.M. Kerr, R. Hunter, Inside RAD: How to Build a Fully Functional System in 90 Days or Less (McGraw-Hill, 1994)Google Scholar
  10. 10.
    Software Prototyping. Accessed 24 Mar 2020
  11. 11.
    I. Jacobson, G. Booch, J. Rumbaugh, The Unified Software Development Process (Addison-Wesley Professional, 1999)Google Scholar
  12. 12.
    K. Beck, Extreme Programming Explained: Embrace Change (Addison-Wesley, 2000)Google Scholar
  13. 13.
    European Commission, Special Eurobarometer 460, Attitudes towards the impact of digitisation and automation on daily life (2017). Accessed 24 Feb 2020
  14. 14.
  15. 15.
    R.L. Jones, A. Rastogi, Secure coding: Building security into the software development life cycle. 29-39. Inf. Syst. Secur. 13(5) (2004)Google Scholar
  16. 16.
    Keary, E., & Manico, J. (n.d.). Secure Development LifeCycle. Accessed 24 Feb 2020
  17. 17.
    S. Lipner, The trustworthy computing security development LifeCycle, in Proc. 20 th Annual Computer Security Applications Conference, Pp 2-15, Tucson, AZ, (2004)Google Scholar
  18. 18.
    G. McGraw, Software security. IEEE Secur. Priv. 2(2), 80–83 (2004)CrossRefGoogle Scholar
  19. 19.
    Microsoft. (2012). Microsoft Security Development Lifecycle (SDL) – Version 5.2. Accessed 24 Feb 2020Google Scholar
  20. 20.
    M. Morana. Building Security into the Software Life Cycle, a Business Case (n.d.). Accessed 24 Feb 2020
  21. 21.
    T. Ayalew, T. Kidane, B. Carlsson, Identification and evaluation of security activities in agile projects, in 2013 Nordic Conference on Secure IT Systems, (Ilulissat, Greenland, 2013), pp. 139–153Google Scholar
  22. 22.
    M.I. Daud, Secure software development model: A guide for secure software life cycle, in Proc. the International MultiConference of Engineerings and Computer Scientist 2010, Vol. I, Hongkong, (2010)Google Scholar
  23. 23.
    J. Gregoire, K. Buyens, B.D. Win, R. Scandariato, W. Joosen, On the secure software development process: CLASP and SDL compared, in Proc. 29 th International Conference on Software Engineering Workshops, 2007. Accessed 24 Feb 2020
  24. 24.
    K. Tiirik, Comparison of SDLC and Touchpoints. Accessed 24 Feb 2020
  25. 25.
    B.D. Win, R. Scandariato, K. Buyens, J. Gregoire, W. Joosen, On the secure software development process: CLASP, SDL and Touchpoints compared, information and software technology archive. 51(7), 1152–1117 (2009)Google Scholar
  26. 26.
    Microsoft, Security development Lifecycle for agile development, in Microsoft Security Development Lifecycle, (2009). Accessed 24 Feb 2020Google Scholar
  27. 27.
    G. McGraw, Software Security, Building Security In. Accessed 3/24/2020
  28. 28.
    D. NooPur, Developing secure software, in secure software engineering. The DoD software Tech News 8(2), 3–7 (2005). Accessed 24 Feb 2020Google Scholar
  29. 29.
    J. W. Over. Team Software Software Process for Secure Software Development (2002) . Accessed 24 Feb 2020

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Computer Science and Technology, Kean UniversityUnionUSA

Personalised recommendations