50 Core Software Security
Please note that, unlike some of the SDLs you may have seen before,
we include post-release support activities and best practices in our SDL,
as shown in Figure 2.10. We have included this because most software
security teams or their equivalent, especially those in mid-sized or small
companies, do not have the luxury of having an independent Product
Security Incident Response Team (PSIRT), a team dedicated solely to
conduct security M&A assessments, third-party reviews, post-release
certifications, internal reviews for new product combinations of cloud
deployments, or review for legacy software that is still in use or about to
be re-used. It takes some outside-the-box thinking to manage all of this
with a small team. Later in the book we will discuss leveraging seasoned
software security architects, software security champions, specialized soft-
ware, and third-party contractors to accomplish SDL goals and activities.
2.10 Software Development Methodologies
Earlier in the chapter we discussed the various SDLC models and pro-
vided a visual overview of our mapping of our SDL model to a generic
SDLC. It should be noted, however, that multiple software development
methodologies are used within the various SDLC models. Every software
development methodology approach acts as a basis for applying specific
frameworks to develop and maintain software and is less concerned with
the technical side but rather the organizational aspects of the process of cre-
ating software. Principal among these development methodologies are the
Waterfall model and Agile together with its many variants and spin-offs.
The Waterfall model is the oldest and most well known software develop-
ment methodology. The distinctive feature of the Waterfall model is its
sequential step-by-step process from requirements. Agile methodologies
are gaining popularity in industry although they comprise a mix of tra-
ditional and newly software development practices. You may see Agile or
traditional Waterfall or maybe a hybrid of the two. We have chosen to give
a high-level description of the Waterfall and Agile development models
and a variant or two of each as an introduction to software development
methodologies. Given the number of models that exist, we have not only a
generic model for our SDL model but will do the same in Chapter 9 when
we describe the applicability of our SDL to a few of the most popular soft-
ware development models that you may encounter over the next few years.