Secure Software Development Lifecycle (SSDLC) embeds security practices at every phase of development — from design (threat modelling) through coding (SAST), dependency management (SCA), testing (DAST, penetration testing), and deployment (image scanning, CSPM). Shift-left security moves controls earlier in the pipeline, where defects are 10–100× cheaper to fix than in production. Tools like Snyk, SonarQube, OWASP ZAP, and Checkov integrate into CI/CD pipelines as security gates.

Key Points

  • STRIDE threat modelling (Microsoft): Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — systematically enumerate threats against each component in a data-flow diagram.
  • SAST (Static Application Security Testing): analyses source code without execution — Semgrep, SonarQube, CodeQL (GitHub Advanced Security), Checkmarx; catches: SQL injection patterns, hardcoded secrets, XSS sinks.
  • SCA (Software Composition Analysis): scans dependencies for known CVEs — Snyk, OWASP Dependency-Check, GitHub Dependabot; set policy to fail builds on CVSS ≥ 7.0 (High) for direct dependencies.
  • DAST (Dynamic Application Security Testing): tests running application for vulnerabilities — OWASP ZAP (open-source), Burp Suite (manual + automation API), Nikto; best for finding runtime issues like SSRF, auth bypass.
  • Secret detection in CI: truffleHog, detect-secrets, GitLeaks scan Git history for committed secrets — run as pre-commit hook and in CI; even deleted secrets are in Git history and must be rotated.
  • Container image scanning: Trivy (open-source, fast), Snyk Container, AWS ECR Enhanced Scanning (Inspector v2) — scan at build time and continuously in the registry as new CVEs are published.
  • IaC security scanning: Checkov (Terraform, CloudFormation, Kubernetes YAML), tfsec, KICS — fail CI on HIGH severity findings like S3 public buckets, security groups with 0.0.0.0/0 ingress, unencrypted EBS.
  • Penetration testing cadence: annual full-scope pentest + quarterly targeted tests for high-risk areas (authentication, payment flows) + continuous automated testing via CI/CD security gates.

Real-World Example

Microsoft's Security Development Lifecycle (SDL) requires threat modelling for all new features, mandatory SAST with CodeQL in all GitHub repositories, and a minimum security review before any new service is deployed to production — a model adopted by thousands of enterprises.