What is the difference between SDL and SDLC?

S Connelly
S Connelly used Ask the Experts™
on
Hello all,
It's strange that I Google searched and found no answer because even Microsoft has asked their community for opinions on changing this sometimes confusing initialism.

Generally...
SDL = Secure Development Lifecycle
SDLC = Software Development Lifecycle (supported by Microsoft)

But my question is really about what are the differences between the two lifecycles? That is the question that I was surprised not to easily find in a Google search. It's like I am the first person, ever, to ask this question. LOL

I think I know the difference, but I don't want to influence my thoughts in this question.

Thank you. :)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Bill PrewTest your restores, not your backups...
Top Expert 2016
Commented:
IMHO, "Software Development Lifecycle" is a somewhat generic term for the structure and process that is used to manage software development.  Sort of like "Project Management".  There is not one ubiquitous Software Development Lifecycle that everyone follows, rather different organizations adopt and create their own flavors of it to best suit their needs.  There will be very different lifecycles for "Waterfall" development versus "Agile" for example.

Yes, you may find some standards or widely adopted concepts, and some things put forth by ISO, IEEE, etc.  But I don't think standards are widely adopted for lifecycles, it's more common concepts that reoccur between them.

I believe SDL and SDLC are both just abbreviations for the same general concept, and in themselves do not pertain to one particular set of process and standards.


»bp
S ConnellyTechnical Writer

Author

Commented:
Thanks Bill.

This is what I was thinking, based on what I inferred from reading messages from MS people.

SDL - Secure Development Lifecycle relates to the whole system and steps to ensure that software is secure. This system involves developers and and ops engineers.

SDLC - Software Development Lifecycle. This relates specifically to the processes involved during the requirements planning and architecture, coding, testing, and release and maintenance phases.

Your thoughts?
Commented:
Both are the same; they are pointing to security considerations throughout the software development life cycle. Building security into software should begin when the development process begins. You should examine every phase of development—including the phase before development begins, definition and design, development, deployment, and maintenance—to see if your security processes can be improved. As a naming, I prefer to use S-SDLC.

https://www.experts-exchange.com/articles/33288/Secure-SDLC-Principles-and-Practices.html
https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

btanExec Consultant
Distinguished Expert 2018
Commented:
In fact, you got it already.

SDLC is the fundamental building block for developing the software in a structure manner. Agile methodology still rides on this with added sprints. But what is missing when people ask is the codes produced secured, SDLC would not be sufficient. You need to bring in SDL.

SDL was defined by Microsoft elaborately originally with security activities embedded I to the SDLC phases. For example the typical user requirement will under a risk assessment before moving into the design and development, which will undergo a critical design and security specifications phases. I will not dive in but you can think of it as there always a equivalent security phases matching SDL to SDLC.

I also like to share some may  view this as compliance by design (for SDLC) against security by design (SDL).

https://www.experts-exchange.com/articles/15679/Doing-Right-Security-Compliance-by-Design-or-Security-by-Design.html
S ConnellyTechnical Writer

Author

Commented:
Apologies.
Sometimes... er... most of the time, I need to move on to a different project, and then temporarily forget my EE questions. But this is still an important project.

Thanks again to everyone for your valuable assistance.

For my next steps, I need to build a custom SDL and OWASP curriculum. I plan to draw material from the following resources. I welcome any other good resources:

SDL
What is the secure software development life cycle (SDLC)? https://www.synopsys.com/blogs/software-security/secure-sdlc/
https://www.class-central.com/tag/sdlc
https://www.microsoft.com/en-us/sdl
https://www.wiziq.com/tutorials/sdlc
https://www.netcomlearning.com/courses/8991/Fundamentals-of-SDLC-training.html

OWASP
https://owasp-academy.teachable.com/
https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project
S ConnellyTechnical Writer

Author

Commented:
Thanks again.

I would love to hear about your favorite resources on these topics, or appsec in general.

FYI, I have also been listening to the following podcasts:
Steve Gibson's Security Now
The Secure Developer
Application Security (Chris Romeo, Robert Hurlbut)

In my developer appsec (SDL and OWASP) training program, I intend to offer a number of good resources for my developers... including Podcasts like the above.
btanExec Consultant
Distinguished Expert 2018

Commented:
This maybe of interest and probably consider DevSecOps as future topic for discussion as CI/CD is the chaining of SDL processes in an automated fashion for code build and release.

https://www.owasp.org/index.php/Phoenix/Tools

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial