Use a seamless and safe process to develop, deploy, and maintain any modern software application.
The ability to create a software application has never been easier. Anyone can learn how to develop and deploy a full-blown, end-to-end system, all online with the help of a few existing solutions.
With ease comes the necessity, and the responsibility, to put in place a simple and secure software development lifecycle (SDLC). What is the software development lifecycle? Why should companies or individuals care about simplicity and security in their SDLC? The goal of this article is to answer these questions and provide a few simple steps that can help anyone simplify and secure their SDLC.
The software development lifecycle consists of six stages. In each of these stages, we can put in place simplicity, security, or both.
The following image lays out a typical SDLC:
The planning stage is one of the most important stages in the SDLC.
During this stage, input comes from a wide range of sources. This input can come from internal teams (such as sales, marketing, and leadership) or even clients. We can bring simplicity to this stage by using efficient methods of information gathering. Here at risk3sixty we use a well know software development platform, called GitHub, to collect and store all information in one place. This allows us as a team to ensure we receive all input and organize it in a clear and concise way.
Security is also taken into account during the planning stage. This could take the form of topics such as quality assurance requirements and potential risks of the project.
The next stage, analysis, defines and documents the product requirements needed to move forward.
We are now grooming the information provided, and molding it into a set of explicit action items to begin development. For us at risk3sixty, this begins with a project kickoff meeting and ends with ownership of specific tasks to complete the project.
We also use GitHub for creating individual tasks and assigning those items to specific developers.
After analysis comes design.
The design should be the most in-depth step of the process, as it could have huge implications on reliability and scalability. There are also more serious security concerns than in the previous two stages. Here we must consider things such as data models, UI/UX, and performance.
During this stage, security is important when discussing how we will be implementing the requirements, and what we will be using to do so.
If we need a third-party library, software, or vendor for the project, we must properly vet it and check its risk profile and security policies. As an example, at risk3sixty we use a package manager (npm) to handle our third-party libraries. It ensures libraries are up to date and free of any known vulnerabilities.
This gives us the ability to download a library, manage its version, and update it on our platform whenever the library owner updates it. The package manager also has the ability to audit any known vulnerabilities of the current libraries in your platform. It then rates them on a scale of low, moderate, high, and critical for us to focus on.
This provides a simple way to ensure the use of third party libraries is secure.
Once the design is complete, the actual implementation must begin.
This is the stage where the rubber meets the road. All the information gathered in the previous three steps begins to take form. Simplicity is a common theme in coding best practices. Functional programming and component-based frameworks both stress clean and reusable code. Here at risk3sixty, we build our code on both of these common practices, along with other highly regarded coding ideals.
Simplicity in software gives current and future developers the ability to read, understand, and update the code.
Security during implementation is in the hands of the developer. Understanding potential bugs, risks, and vulnerabilities in the code can be difficult. Developers must rely on a code-based approach to solve this problem.
The most common solution for added security in implementation is utilizing a testing framework. Here at risk3sixty, we use a testing framework called Mocha and have implemented tests against our codebase. 100% test coverage against the entire codebase is the ultimate goal, but any coverage is better than none.
This leads us to the next stage of the lifecycle: testing and integration.
As mentioned above, we use testing frameworks to run tests against the codebase, but we want to automate the process of testing and integration. There are many services available to automate this process, but at risk3sixty we use a well-known platform called CircleCI. This allows us to test our code in an automated and periodic way.
Not only does it run the written tests mentioned above, but it also builds the application to ensure there are no issues when we deploy the code. This gives the developers a sense of security before the code is deployed to any environment.
Note: Another important part of testing and integration that we have adopted here at risk3sixty is user acceptance testing (UAT). This step adds a level of human interaction designed to mimic real situations. It helps catch any other issues or bugs that were not caught in the previous steps. At risk3sixty, once a release is ready for production, we push to a production replicated environment. Internal team members test in this environment and, once approved, we push to production.
Automating deployments helps us achieve simplicity in the testing and integration stage. Our application hosting service, called Heroku, handles deploying code to specific environments. It does so by integrating with our codebase in GitHub. This allows for simplicity in the management and deployment of our applications.
Finally, the maintenance stage.
The project almost never turns out perfectly when it meets reality, and this stage keeps the software in iterative refinement.
In other words, the maintenance stage is an ongoing process that continues to track and report the current status of the application.
We can add security and simplicity in this stage by having proper logging and monitoring throughout an application. At risk3sixty we use the Heroku platform, as well as AWS CloudWatch, to track our applications.
Heroku allows us to set thresholds and alerts for application load and response times. AWS CloudWatch captures any fatal errors thrown by the code itself. A combination of the two gives us peace of mind in both the performance and scalability of the entire application.
Implementing simplicity and security in your own SDLC will bring confidence and efficiency to your development processes. If you have questions about implementing security practices into your own development lifecycle, reach out to an expert here!