Security life cycle

Security is generally regarded as a non-functional requirement for a solution. However, with the growing number of cyber-attacks, it is considered a functional requirement these days.

Every organization follows some sort of application life cycle management for their applications. When security is treated as a functional requirement, it should follow the same process of application development. Security should not be an afterthought; it should be part of the application from the beginning. Within the overall planning phase for an application, security should also be planned. Depending on the nature of the application, different kinds and categories of threats should be identified, and based on these identifications, they should be documented in terms of approach and scope to mitigate them. A threat modeling exercise should be undertaken to illustrate the threat each component could be subjected to. This will lead to designing security standards and policies for the application. This is typically the security design phase. The next phase is called the threat mitigation or build phase. In this phase, the implementation of security in terms of code and configuration is executed to mitigate the security threats and risks.

A system cannot be secure until it is tested. Appropriate penetration tests and other security tests should be performed to identify potential threat mitigation that has not been implemented, or has been overlooked. The bugs from testing are remediated and the cycle continues throughout the life of the application. This process of application life cycle management, as shown in the following diagram, should be followed for security:

Threat modeling, identification, mitigation, testing, and remediation are iterative processes that continue even when an application or service is operational. There should be active monitoring of entire environments and applications to proactively identify threats and mitigate them. Monitoring should also enable alerts and audit logs to help in reactive diagnosis, troubleshooting, and the elimination of threats and vulnerabilities.

The security life cycle of any application starts with the planning phase, which eventually leads to the design phase. In the design phase, the application's architecture is decomposed into granular components with discrete communication and hosting boundaries. Based on their interaction with other components within and across hosting boundaries, threats are identified. Identified threats are mitigated by implementing appropriate security features within the overall architecture and testing to identify whether the identified vulnerability still exists. After the application is deployed to production and becomes operational, it is monitored for any security breaches and vulnerabilities, and either proactive or reactive remediation is conducted.

Microsoft provides complete guidance and information about the security life cycle,  available at https://www.microsoft.com/en-us/securityengineering/sdl/practices.