Ashley Walker's Blog

Bootstrapping a Secure Software Development Lifecycle – In Legacy Projects P1

, , ,

A key stakeholder has called for the implementation of a Secure Software Development Lifecycle (SSDLC). They know this isn’t an overnight shift—it’s a journey that hinges less on tools and more on processes, culture, and the maturity of our software practices. Throwing tools at the problem without foundational discipline just leads to the illusion of security.

So before we start layering in security, we need something to layer on top of. That means establishing a robust, baseline Software Development Lifecycle (SDLC)—and doing it in a way that actually sets the groundwork for higher throughput and better quality long-term.

Start with a Foundation That Enables Security

Most legacy projects I encounter don’t have formal SDLC processes—they’re running on tribal knowledge and patchwork conventions. Before we can make them secure, we need to improve the development process maturity. It is essential that a basic software lifecycle is in place1 before the security concerns can be overlayed.

Here’s how we build that maturity, layer by layer:

1. Establish Version Control Discipline

  • Evaluate where the development processes are in terms of any software development lifecycles.
  • Centralise all source code and configuration files (ini, XML, JSON, YAML, etc.) in a Git repository—GitHub, Azure DevOps, GitLab, Bitbucket… pick your platform.
  • Implement a Git workflow. Pull Requests (PRs) must go through review—by someone other than the author.
  • Every PR is tied to an actual work item: bug, task, epic. Use a tracker like Jira, Azure DevOps, or GitHub Issues.

2. Enforce Commit Policies

  • Apply branch protections: no direct commits to main or any deployable branch.
  • All code changes come via PRs. Reviews are mandatory. The reviews are as much about sharing knowledge, as they are about ensuring that quality is maintained.

3. Introduce Continuous Integration

  • Implement CI pipelines that build your software and produce artifacts.
  • Secure your build outputs—they’re part of your supply chain.
  • Introduce build gates. Let the build fail if quality or dependencies don’t meet your requirements. Build health equals project health.

Now Layer Security into the Lifecycle

Once the lifecycle is predictable and structured, we can overlay meaningful security tooling and practices. Here’s how:

  • Dependency Scanning: Detect known vulnerabilities in external packages.
  • Static Analysis: Evaluate the codebase for risky constructs and code smells.
  • Security Unit Tests: Bake in negative testing, boundary checks, and misuse cases.
  • Training: Equip devs with security mindset and awareness—make it part of onboarding and ongoing upskilling.
  • CI Error Discipline: Don’t just mute warnings—work toward resolving all items that impact build stability or security.
  • Non-Functional Documentation: Capture performance, reliability, and security expectations. Without this, you’re building blindfolded.
  • Tooling Evaluation: Choose your stack wisely—Consider Dependabot, SonarQube, WhiteSource, etc.—and integrate them in a way that enhances rather than complicates your pipeline.

Building Maturity ≠ Losing Velocity

This isn’t just about making things “secure.” It’s about laying the groundwork so that quality improves, bugs reduce, regressions get caught early, and features ship faster – with confidence. A mature SDLC gives you the levers to scale safely.

In Part 2, we’ll explore how to evolve these practices into proactive, continuous security strategies—ones that accelerate velocity rather than inhibit it.

References

  1. https://se-radio.net/2024/10/se-radio-637-steve-smith-on-software-quality/#:~:text=Steve%20Smith%2000%3A22%3A48%20Well%20I%20would%20start%20with%20source%20control. ↩︎

Part 2 – Bootstrapping a Secure Software Development Lifecycle – In Legacy Projects