SecSDM: A Model for Integrating Security into the Software Development Life Cycle

  • Lynn Futcher
  • Rossouw von Solms
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 237)


Most traditional software development methodologies do not explicitly include a standardised method for incorporating information security into their life cycles. It is argued that security considerations should provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. Therefore, to build more secure software applications, an improved software development process is required. The Secure Software Development Model (SecSDM), as described in this paper, is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.


Risk analysis secure software development security mechanisms security services 


  1. 1.
    Taft, D. K. (2004, Dec). Microsoft aids secure coding. eWeek.Google Scholar
  2. 2.
    Jurjens, J. (2002, May). Using UMLSec and goal trees for secure systems development. Communications of the ACM, 48(5), pp. 1026–1030.zbMATHGoogle Scholar
  3. 3.
    Task Force Report. (2004, April). Improving security across the software development life cycle (Technical Report). National Cyber Security Summit.Google Scholar
  4. 4.
    Jones, R. L.& Rastogi, A. (2004, Nov). Secure coding–building security into the software development life cycle. Application Program Security, pp. 29–38.Google Scholar
  5. 5.
    Lipner, S.& Howard, M. (2005). The trustworthy computing security development lifecycle. 27. (cited on 15th April 2005)Google Scholar
  6. 6.
    Tryfonas, T.& Kiountouzis, E. (2002). Information systems security and the information systems development project. In Proceedings of IFIP.Google Scholar
  7. 7.
    ISO. (2005). ISO/IEC 17799: Information Technology–Code of Practice for Information Security Management.Google Scholar
  8. 8.
    ISO. (1998). ISO/IEC TR 13335-3: Information Technology–Guidelines for the Management of IT Security. Part 3; Techniques for the management of IT security.Google Scholar
  9. 9.
    NIST (1996, Sept). Generally accepted principles and practices for securing information technology systems. NIST Special Publication 800-14. (
  10. 10.
    ISO. (1989). ISO 7498-2: Information Processing Systems–Open System Interconnection — Basic Reference Model–Part 2: Security Architecture.Google Scholar
  11. 11.
    Tipton, H. F.& Krause, M. (2006). Information security management handbook (Fifth ed., Vol. 3). New York: United States of America: Auerbach Publications.zbMATHGoogle Scholar
  12. 12.
    Landoll, D. J. (2006). The security risk assessment handbook: A complete guide for performing security risk assessments. New York: United States of America: Auerbach Publications.Google Scholar
  13. 13.
    Whitman, M.& Mattord, M. (2003). Principles of information security. Thomson Course Technology.Google Scholar
  14. 14.
    Tompkins, F. G.& Rice, R. (1985). Integrating security activities into the software development life cycle and the quality assurance process. In Proceedings of IFIP pp. 65–105.Google Scholar
  15. 15.
    Siponen, M., Baskerville, R.& Kuivalainen, T. (2005). Integrating security into agile development methods. In Proceedings of the 38th Hawaii international conference on system sciences.Google Scholar
  16. 16.
    Gregory, P. H. (2003). Security in the software development life cycle (Technical Report). The Hart Gregory Group Inc.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Lynn Futcher
    • 1
  • Rossouw von Solms
    • 1
  1. 1.Centre for Information Security StudiesNelson Mandela Metropolitan UniversityPort ElizabethSouth Africa

Personalised recommendations