Security risks—and the need to mitigate them—arise throughout the software development lifecycle. A secure approach must therefore be applied end-to-end:
Design – Ensure the architecture does not inherently expose systems, data, or business assets to unauthorised access.
Code – Write and reuse code securely to prevent exploitation. Developers must also operate in secure environments that protect against tampering or compromise.
Build and Deploy – Protect CI/CD pipelines from unauthorised changes and ensure the integrity of builds and releases.
Run – Operate systems securely across all environments (cloud, servers, mobile), applying best practices in people, process, and technology.
Zero Trust and Governance – Apply Zero Trust principles throughout: assume breach, verify explicitly, and enforce least privilege for all identities and components.
Core practices for securing the SDLC:
Define security standards, metrics, and governance
Use proven secure languages, frameworks, and features
Conduct design reviews and threat modelling
Apply consistent cryptographic standards
Secure the software supply chain
Protect the engineering environment
Perform regular security testing
Ensure secure platform operations
Implement monitoring and incident response
Provide ongoing security training