When implementing a SDLC program, is anyone using risk approach to allow the software to go ahead on the different stages or is it a more black and white approach?

3.2k views10 Upvotes3 Comments

Sort by:

Information Security Manager in Transportationa year ago

Of course! Having a risk methodology that you can implement from early stages of development is essential.

They key success factor is manging the risk through the SDLC life cycle.

Engineera year ago

SDLC's are risk based almost by definition, you ask for only N code reviews, you rely on test automation which is limited by nature, and you accept the risk in importing third party libraries.
To answer your question, it really depends on your context- in a highly regulated environment with you would lean towards the black and white, while in a high paced consumer product startup you can make risk-based assessments.

Enterprise Security & Risk Management Architect in Insurance (except health)2 years ago

We use a risk-based approach for some of the tasks in the SDLC especially for the ones that can't be cleanly automated or where there are additional costs. This requires that you have a risk assessment process that can be applied to the solutions moving through the pipeline. You have to have confidence in the risk assessment, and it has to truly differentiate between those items that need additional controls and those that can move on.

You should build these indicators or attributes in such a way that they can be used by your pipeline process to make the decision to move forward.

Content you might like

Has anyone recently implemented platform engineering? Could you share the pros and cons that your team is experiencing?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

What workflow automation tool you use to automate your workflow? If possible comment your best use case and how AI will impact on workflow automations.

Zapier29%

KonnectzIT28%

IFTTT20%

Make (Integromat)7%

Other please specify14%

View Results

Compliance with InfoSec standards (SOC 2, ISO/IEC 27000 family, PCI-DSS & more) is crucial for:

Scaling the business46%

Preserving existing deals32%

Business reputation65%

Business continuity50%

Security46%

View Results

As someone with no background in IT / CS, I am working on a project that requires me to get some understanding of the entire IT / systems landscape of a company - i.e. the various Hardware and Software requirements as well as the market leaders offering these products and services.

What report / webpage / any other resource would be a good starting point to understand this basket of markets?

When implementing a SDLC program, is anyone using risk approach to allow the software to go ahead on the different stages or is it a more black and white approach?

Sort by:

Content you might like

Has anyone recently implemented platform engineering? Could you share the pros and cons that your team is experiencing?

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

What workflow automation tool you use to automate your workflow? If possible comment your best use case and how AI will impact on workflow automations.

Compliance with InfoSec standards (SOC 2, ISO/IEC 27000 family, PCI-DSS & more) is crucial for:

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

CrowdStrike Outage: Impact And Recovery

Generative AI and Software Engineering Teams: Adoption and Training

Generative AI and ChatGPT: Adoption and Use

DevSecOps: Strategies, Organizational Benefits and Challenges

How are U.S. CISOs Addressing Liability Risk?

Take Your Insights On-the-Go