SDLC is dead, long live SPLC (Secure Product Lifecycle)
SPL{ops} is a unified approach for the management of a product lifecycle
within the pipeline, from design and modeling to production security
Since the SDLC inception by Microsoft in 2008, the development world has undergone multiple transformations with extensive impact on the methods products are being designed, developed and operationalized. Those changes, including most noticably the Agile transformation and "everything as code" rendered the SDLC process irrelevant.
None the less, those transformations presents an opportunity for security teams to embed their practices and requirements into the product and business practices and help promote better and more secure development practices from the get-go ("shift left") and furthremore, even enahnce production security through the understanding of the product ecosystem and its components.
SPL{ops} (Secure Product Lifecycle Operations) aims to create a framework for security and product teams to adopt while leveraging Agile and "as code" lifestyles to enhance the security of the product whilst reducing the friction between the teams and the core of all security issues -> being too late to the party.
A few of the things you can do with SDL{ops}:
- Kickstart product security, for anyone from startups to enterprises
- Find a purpose built framework for implementing "SDLC" for Agile & Ops Driven teams
- Get a curated list of opensource and commerical solutions that can fit into the framework
- Access child projects that extends the framework into the techical realms and help drive product security forward
| SPL{ops} Project Name | Description | Project Type | Status | More Information |
|---|---|---|---|---|
| CyberSnippets | Taking security training to the 21st century with bite-sized training materials on various secure developement methods and techniques | Training | Pre-Alpha (0%) | Repo |
| .Security | Security specification definition within the code, enabling continuous security support throughout the development lifecycle through to production deployments. .Security + .Release + .Deploy = DevSecOps ❤️ |
Tool | Pre-Alpha (0%) | Repo |
| CySkeleton | A skeleton requirements document (Epics, User Stories, Tasks and more) for secure products with full parity to JIRA and other agile task management systems | Framework | Pre-Alpha (0%) | Repo |
| Continuous Modeling | Bring continuity and accountability to threat modeling with 3 complimentary engines embedded within the code and CI/CD pipeline | Technology | Backlog | Specifications |
| Awsome Scanning | A curated list of security scanning tools (SAST, DAST, IAST, Container Scanning etc.), both commercial and open source and their level integration support to CI/CD pipelines | 3rd Party | Pre-Alpha (0%) | Repo |
| Code Quality | A curated list of Code Quality tools (commercial and open source) and their level integration support to CI/CD pipelines | 3rd Party | Backlog | |
| Awsome Secret | A curated list of secret management tools, both commercial and open source and their level integration support to CI/CD pipelines | 3rd Party | Pre-Alpha (0%) | Repo |
| SecBuild | A framework for security sanity tests as a part of the build process, integrated into common CI/CD deployment tools | Framework | Backlog | Specifications |
| Awsome Secret | A curated list of secret management tools, both commercial and open source and their level integration support to CI/CD pipelines | 3rd Party | Pre-Alpha (0%) | Repo |
| SecTestOps | A framework for security testing automation | Framework | Backlog | Specifications |
| .Release | Security, Build, Deployment and Governance specifications, dynamically generated to make depoyment and production security a breeze .Security + .Release + .Deploy = DevSecOps ❤️ |
Tool | Pre-Alpha (0%) | Repo |
| .Deploy | Deployment specifications framework for devops, dynamically building deployment templates based on various security and product metrics .Security + .Release + .Deploy = DevSecOps ❤️ |
Tool | Backlog | Repo |
| SecurityCanary | Framework for the creation of production replicas to directly enable bounty programs and hackathons, test the impact of security configuration changes and more | Framework | Backlog | Specifications |
| SecBubble | A tool for the creation of dynamic application whitelisting rules and security packages (e.g. logging package) driven by code and security specifications provided as a part of the CI/CD pipeline | Framework | Backlog | Specifications |
| SecMetrics | A framework for security metric creation and enforcement throughout the CI/CD, enabling coherent and actionable evaluation of the product security posture | Framework | Backlog | Specifications |
Feel free to send me feedback on Twitter, LinkedIn or file an issue. Feature requests are always welcome. If you wish to contribute, please take a quick look at the guidelines!
If there's anything you'd like to chat about, please feel free to join our Slack chat!