Secure Development

Secure development is about integrating security throughout the software development lifecycle. Instead of testing security at the end, it is built in from requirements and design, through coding and testing, to operations and maintenance.

Back to Dictionary

What is secure development?

Secure development (Secure Software Development Lifecycle, Secure SDLC) is an approach where security is an integral part of software development from day one. It is closely related to application security, but focuses specifically on the development process and culture.

Traditionally, security was only addressed in the testing phase or after deployment. The problem is that security flaws discovered late are expensive and time-consuming to fix. A vulnerability found during the design phase costs a fraction of what it costs to fix in production.

Secure development requires a combination of processes (threat modelling, code reviews), tools (vulnerability scanning, SAST) and culture (security awareness among developers, security champions).

Security in every phase

Requirements: Define security requirements alongside functional requirements. Identify which data is processed and which regulations apply (GDPR, DORA).
Design: Conduct threat modelling (e.g. STRIDE) to identify attack vectors. Apply principles such as least privilege and defence in depth. Plan encryption, access control and logging.
Implementation: Use secure coding guidelines (OWASP, CERT). Automate SAST in the CI/CD pipeline. Conduct code reviews with a security focus. Scan for hard-coded credentials.
Testing: Run DAST against test environments. Carry out penetration tests before major releases. SCA tools check third-party libraries for known vulnerabilities.
Deployment and operations: Use secure configuration of production environments. Monitor with SIEM. Keep dependencies up to date with patch management.

DevSecOps in practice

DevSecOps brings security into DevOps by automating security checks in the CI/CD pipeline:

Pre-commit: Secret scanning prevents credentials from being committed to the codebase. Linting rules catch insecure code patterns.

Build: SAST scans source code for vulnerabilities. SCA checks dependencies against databases of known vulnerabilities (CVE). Container scanning checks base images.

Test: DAST and vulnerability scanning test the deployed artefact in a test environment. Automated security tests validate critical security functions.

Release: Security gates ensure that critical vulnerabilities are addressed before code is released to production. Compliance checks verify that regulatory requirements are met.

Security champions in each development team act as a bridge to the security team and promote secure coding practices in everyday work. Regular security training keeps developers' knowledge up to date.

Regulations and standards

ISO 27001 and Annex A contain controls for secure system development (A.8.25-A.8.28), including secure coding rules, testing and protection of test data. An ISMS must address secure development.

DORA requires financial entities to have secure development processes for their ICT systems. NIS2 imposes similar requirements on secure system development.

CIS 18 Control 16 is dedicated to application security and secure development. Under GDPR, secure development supports the principle of data protection by design and by default (Article 25), which forms part of technical and organisational measures.

Frequently Asked Questions about Secure Development

What is DevSecOps?

DevSecOps integrates security into the DevOps process. Instead of security being a separate phase, it is part of every phase: planning, coding, build, test, release and operations. Security is automated in the CI/CD pipeline.

What is threat modelling?

Threat modelling is a structured method for identifying potential security threats to an application during the design phase. Methods such as STRIDE and DREAD help categorise threats and prioritise countermeasures.

What are security champions?

Security champions are developers with a particular interest in and training in security. They act as a bridge between the security team and the development team, promote secure coding practices and help resolve security issues in day-to-day work.

Which tools are used in secure development?

SAST tools scan source code for vulnerabilities. SCA tools check third-party libraries. DAST tools test running applications. Secret scanners find hard-coded credentials. These are typically integrated into the CI/CD pipeline.