Introduction to SDLC

The Software Development Lifecycle (SDLC) is a structured framework that describes the processes and stages involved in developing software applications. It outlines the sequence of activities from the initial concept and requirements gathering to the final deployment and maintenance of the software.

Tip

Research consistently shows that the cost of fixing a defect grows exponentially the later it is discovered. A bug caught in the Requirements phase may cost $1 to fix, while the same bug found in Production can cost $100 or more - this is known as the Rule of Ten.

---

Core Phases

While different organizations may have variations, the most common stages include:

1. Requirements Gathering & Analysis: Identifying and collecting software requirements by communicating with stakeholders. Analyzes feasibility, impact, and potential risks, resulting in a Software Requirement Specification (SRS) document.
2. Design: The system architecture is conceptualized. This includes high-level architecture, detailed modular designs, database schemas, and user interfaces.
3. Development (Implementation/Coding): The actual coding takes place based on the design specifications and coding standards.
4. Testing: Verifying the functionality, performance, and quality. This includes unit testing, integration testing, system testing, and acceptance testing.
5. Deployment: Releasing the software to the target environment (production servers, client infrastructure).
6. Maintenance: Ongoing support, bug fixes, security patches, feature enhancements, and performance optimizations.

Verification vs. Validation

These terms are often confused but serve distinct purposes within the Testing phase:

• Verification - “Are we building the product right?” Checks that the product conforms to its specification (e.g., code reviews, static analysis, inspections).
• Validation - “Are we building the right product?” Checks that the final product actually meets the real-world needs of the user (e.g., user acceptance testing, beta releases).

---

SDLC Models

Various SDLC models dictate how the phases are executed.

Traditional Models

• Waterfall Model: A linear, sequential approach. Each phase must be completed before the next begins. Minimal opportunity for iteration. Best for projects with rigid, unchanging requirements.
• V-Model: A variant of Waterfall that pairs each development phase with a corresponding testing phase (e.g., Requirements Analysis is paired with Acceptance Testing design). Used extensively in defense, automotive (ISO 26262), and medical device (IEC 62304) industries where every test must be traceable back to a requirement for regulatory compliance.
• Big Bang Model: Focuses almost entirely on coding with very little planning. Best for very small academic projects; highly risky for commercial software.

Iterative & Incremental Models

• Agile Model: Prioritizes flexibility, collaboration, and responsiveness to change. Projects are broken into small increments (sprints). Examples include Scrum and Kanban.
• Iterative Model: Delivers software in repeated cycles. Each iteration encompasses all SDLC phases, progressively refining the software based on feedback.
• Spiral Model: Combines Waterfall linear phases with iterative prototyping. Extremely focused on risk analysis and mitigation. Used primarily in large government contracts, aerospace, and defense where risk identification at each phase is a contractual requirement — not for typical commercial software.
• RAD (Rapid Application Development): An adaptive model focused on developing software in a very short period through heavy use of prototyping and focus groups.

Model Comparison

Model	Flexibility	Risk Tolerance	Best For	Team Size
Waterfall	Low	Low	Fixed-scope, regulated projects	Any
V-Model	Low	Low	Safety-critical systems	Medium–Large
Agile / Scrum	High	Medium	Evolving requirements, SaaS	Small–Medium
Spiral	Medium	High	Large, complex, high-risk	Large
RAD	High	Medium	Rapid prototyping	Small

---

Security in the SDLC: DevSecOps

Historically, security was treated as a separate stage bolted on at the end of development. Modern practices integrate security into every step: DevSecOps.

DevSecOps ensures software is secure from initial design to final delivery through continuous, automated security assessments.

SDLC Phase	DevSecOps Activity
Planning & Requirements	Identify security requirements, potential threats, and design principles.
Architectural Design	Threat modeling, access control planning, encryption mechanisms, architecture risk analysis.
Development & Testing	Static Application Security Testing (SAST), code reviews, penetration testing.
Deployment	Infrastructure as Code (IaC) scanning, firewall and access control configuration.
Maintenance	Continuous monitoring, vulnerability scanning (DAST), automated patching.

Note

DevOps is a collaborative approach bridging development and operations, focusing on continuous integration and delivery (CI/CD). DevSecOps simply injects security testing natively into that modern pipeline.