什么是软件开发生命周期??
软件开发生命周期(SDLC), 有时也称为软件开发过程, is a standard project management framework that organizations use to create high-quality software with an accelerated time to production and lowered overall cost.
The SDLC approach to software development typically begins by looking for deficiencies that may be present within an existing system, 定义与新系统和改进系统相关的需求, 然后为新系统设计和创建软件.
采用SDLC方法可以帮助企业明确他们的目标, 更有效地管理软件项目, 在团队成员离职的情况下确保项目的连续性, 在软件投入生产之前进行适当的测试, and increase the likelihood of completing the project on time and within budget. The SDLC is also a repeatable process whose later phases feed back into the initial phases, enabling businesses to continually refine and improve their applications over time.
软件开发生命周期(SDLC)的七个阶段
There are many SDLC models in use today, each with its own distinct advantages and limitations. 一些SDLC方法结合了敏捷方法, 哪一种允许更大的灵活性和增量迭代, while others rely on the more linear and sequential waterfall methodology.
Each SDLC framework tends to consist of between five and seven distinct phases, depending on the company involved and its specific goals for software development. 核心SDLC阶段通常与软件设计有关, development, testing, and deployment.
以下是SDLC方法中最常见的七个阶段:
- Planning. Product and project managers convene to discuss the scope of the project. At this stage, 他们可能会创建早期的书面可交付成果,比如项目计划, schedules, cost estimates, 采购要求.
- Requirements. Technology professionals begin gathering requirements from business stakeholders. 如果先前的系统存在, they examine its deficiencies and identify any remediations that need to be addressed in the new version. If the software will be brand-new, they will simply proceed toward defining its requirements. In either case, the goal is to create a detailed definition of what the end product is intended to achieve.
- Design and prototyping. Software developers convert the requirements they have gathered into a software design plan. They outline the software’s architecture and specify the technologies involved in its development as well as the team resources, time frames, 以及创建它所需的预算.
- Development. 开发人员创建软件, engaging stakeholders to confirm that it fulfills the desired requirements. 在这一阶段结束时, the business should have functional software that can then be tested and deployed.
- Testing. SDLC的这个关键阶段侧重于确保高质量的产品, 采用一系列测试方法,包括代码质量, unit testing, integration testing, performance testing, 以及安全测试,以确保软件按预期运行. Flaws or bugs that were not detected in the development stage are examined and remediated before the final product proceeds to deployment.
- Deployment. After all issues have been fixed, the software is placed into production. 在一些较大的企业环境中,这个过程是自动化的, whereas some midsize and smaller organizations or businesses in exceptionally regulated industries may require additional final sign-off steps before this phase is complete.
- 操作与维护. After the software has been deployed, it is continually monitored for potential bugs, defects, or security vulnerabilities. 这个阶段可以作为软件循环回到SDLC的早期步骤, now in production, 是不断改进和改进的吗.
应用程序安全和软件开发生命周期(SDLC)
While businesses often want to get new code out as quickly as possible in order to maximize opportunities in the market, this strategy sometimes fails to properly account for security concerns. Some businesses may discover unintended vulnerabilities that have the potential to gravely compromise their own corporate data as well as that of their clients. Some of the most severe breaches that have appeared in newspaper headlines in recent years have occurred because the businesses involved have not adequately 在SDLC中尽早确定了安全问题的优先级.
的重要性 application security 近年来有所增加吗, more companies have begun factoring security concerns earlier into the SDLC. In doing so, 它们可以更好地降低潜在风险, detect bugs sooner, 尽早识别用户体验问题, and lower the costs involved with remediating all of these issues later on in the software development process. DevSecOps, a security-focused evolution of the popular DevOps concept of software design and deployment, seeks to explicitly embed application security best practices earlier into the SDLC.
软件开发生命周期最佳实践
- Address security early on. 网络罪犯越来越多地瞄准网络应用程序, 因此企业必须在SDLC中更早地优先考虑安全问题. 如果所讨论的软件是任务关键型的,则尤其如此. Tapping the benefits of a Web应用程序安全扫描程序 还有其他形式的 Web应用程序安全测试 在流程的早期帮助您的企业降低风险, 在新出现的问题变成大麻烦之前解决它们, and cut costs.
- 考虑DevSecOps方法. Application security should be a shared responsibility across your security, IT operations, and development teams rather than an afterthought relegated to a single team toward the end of the SDLC (often in the testing phase, as listed above). Moving application security left in the SDLC helps you securely deploy software without compromising on speed.
- Encourage collaboration. 有效的合作至关重要, especially when not everyone involved speaks the same language or views issues from the same lens. For example, 安全团队认为漏洞是对业务的主要威胁, while their developer counterparts tend to chiefly view them as bugs to be fixed. Creating common tools and workspaces where the various teams can come together and collaborate, discuss issues early on, and foster a spirit of camaraderie will go a long way toward ensuring SDLC success.
The SDLC is an effective methodology for designing and creating software, but it especially shines when all stakeholders prioritize security concerns and thoughtfully weave security testing early into the process. By taking a security-conscious approach to your SDLC and encouraging effective collaboration among your teams, your business can bring high-quality software to market in less time and with fewer headaches along the way.
Read More About the SDLC
了解Rapid7的Web应用程序安全产品
在DevSecOps上磨练你的应用安全印章
DevOps安全:博客的最新消息