Waterfall. Agile. Scrum. Kanban. Lean.
These words are often thrown around when talking about the software development life cycle (SDLC), but what do they mean and how do they relate to each other? In this blog, we’ll take a look at the evolution of the software development life cycle and consider several current trends, including the integration of application security into the development process.
The software development life cycle is a software engineering process used to design, develop, test, and deploy software. Each phase of the SDLC is designed to give companies control over their software development with predictable deliverables and visibility into budgets and deadlines. The goal of adopting an SDLC model is to produce high-quality software at a lower cost in an efficient and productive manner.
Currently, the most common SDLC models used in software development include waterfall and agile-based methodologies.
The waterfall model was the first process model adopted to manage software development. Introduced in the early 1970s, waterfall follows a linear-sequential development cycle, where each phase is discrete and begins only when the previous phase is completed. In this model, which came from manufacturing and construction industries, progress flows from the top to the bottom much like a cascading waterfall.
Winston Royce, often credited as the creator of the waterfall model for software engineering, identified the following SDLC phases:
Under the traditional waterfall model, the average time between releases is one to two years, regardless of the size of the release. Think back to the pre-SaaS Excel days when major updates meant a complete reimagining of the product and occurred only every two years.
The waterfall model provides a centralized and standardized approach to software development that is easy to manage. Unfortunately, it’s not nimble or responsive to changing customer demands because product changes are too costly once the team moves past the design phase.
In 2001, the Agile Manifesto was published, and the software development life cycle was upended. Not technically a framework or methodology, the Agile Manifesto is a set of 12 guiding principles focused on leadership, teamwork, and customer satisfaction. Some of the core principles include:
One of the main outcomes of the agile movement was the shorter development cycles. Smaller companies were the first to adopt agile methodologies because they could differentiate themselves by quickly meeting customers’ demands for additional functionality in a significantly shorter timeframe. Medium-size companies began seeing the benefit of adopting an agile practice, and eventually enterprise organizations followed suit.
The average release cycle for a software company with an agile practice is once every two weeks. Some companies, like Twitter and Facebook, release new software every two days. No doubt there are companies releasing software even more frequently.
Agile is all about being lean and maximizing the added value for customers. It includes all the core steps in waterfall, but in smaller chunks. Plus, unlike waterfall, the various phases of the SDLC can run in parallel in an agile practice, making it more responsive to market changes.
As mentioned earlier, agile is more of a mindset than a model. There are, however, a number of agile frameworks that take an iterative approach to development and focus on better communication, customer satisfaction, and speed to market. The top-five most popular are as follows:
Despite their differences, these methodologies have similar goals: reducing costs, improving communication and collaboration across engineering, increasing customer satisfaction, and being more responsive to market changes.
When put into practice, waterfall and agile each have their strengths and weaknesses. Though waterfall can’t keep pace with agile in terms of release cycles, it can be more predictable when it comes to budgets and timelines because the scope is often more clearly defined. And while agile methodologies are more responsive to changing market conditions and customers’ needs, long-term projects can be difficult to plan, and it is more taxing on developers.
To balance each approach’s limitations, many software organizations adopted a hybrid approach. The idea here is to leverage the best of both methodologies: the planning of waterfall with the communication and execution of agile.
Under a hybrid approach, teams implement the structured up-front planning process that waterfall does so well. Agile comes into play when waterfall’s planning is broken down into smaller development chunks so that new features can be deployed to customers more quickly. This approach provides both structure and speed.
Because applications remain the top external attack method, we’d be remiss not to mention security in the context of the SDLC.
When it comes to security, waterfall’s traditional linear approach can be a liability. Code changes are difficult when security flaws like buffer overflow are found in late-stage testing. To remediate these vulnerabilities, developers end up working on code they haven’t seen in months, which isn’t efficient or effective.
Newer SDLC models are better for developing secure software in part because their iterative approach makes it easier for changes to occur at any time should vulnerability remediation be necessary. Working on smaller chunks of code also means fewer unintended consequences; bugs have less of an impact and are easier to fix. Furthermore, the continuous release cycles of agile models have shifted security left to prevent testing bottlenecks. Developers now handle much of the security work by reviewing and testing code far earlier in the SDLC.
Whether you adopt waterfall, agile, or a hybrid approach, software development is an enormous and highly personal undertaking. In each of these models, the basic tasks are similar — design, development, testing, deployment. It is how they are executed that varies.
Choosing the right methodology depends on your own specific project, requirements, and environment. If your software is mature and its requirements are well-defined, then waterfall might be the best choice for you. If speed to market and customer input is the greatest importance to your success, then you might consider an agile model.
In the end, there is no best one-size-fits-all when it comes to SDLC models. In order to select the best for your company, you must first assess your own unique needs then choose a model that works best.
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of application security.
Authored by Bright Security
Authored by Bright Security
Authored by Mend