What is the CDLC vs. the SDLC?
The beloved SDLC.
As we all know, the SDLC primarily focuses on the overall software development process, encompassing planning, design, coding, testing, deployment, maintenance - rinse and repeat. It's a comprehensive framework for delivering high-quality software. But you already knew that.
The great thing about it, is that it is indeed a framework, so it can be tailored and implemented as required, depending on your product or industry.
What is the CDLC?
On the other hand, the CDLC (Cloud Development Lifecycle) or perhaps you prefer it as CSDLC (Cloud Software Development Lifecycle), specifically addresses the unique challenges and opportunities introduced by cloud computing. It includes stages like cloud strategy, planning, migration, operations, and optimization. CDLC emphasizes leveraging cloud services efficiently throughout the software development and deployment process.
In essence, while SDLC is a broader approach to software development, CDLC is tailored to the specific considerations associated with cloud environments.
Is CDLC the new SDLC?
Here we take a look at the possible pros and cons to choosing CDLC approaches or the SDLC framework.
SDLC
The Pros
- A systematic and organized approach from planning to maintenance.
- Development teams can identify and address potential risks early in the process.
- The SDLC emphasizes thorough testing at varying stages, making software meet quality standards and is free from critical defects before deployment.
- A familiar process which lends itself to encouraging clear communication and collaboration between teams.
The Cons
- This is a very planning-intensive method which can cause deployment delays.
- Equally, this time consuming approach can tie-up valuable resources.
- SDLC may not be the preferred option if prototyping or planning hypothetical code changes.
- The SDLC can be perceived as inflexible. Once a phase is completed, it can be challenging to revisit or make changes - not ideal if you have fast-moving projects.
CDLC
The Pros
- Ensures that software is developed, deployed, and maintained effectively in the cloud.
- Useful for companies that are utilizing AWS, Microsoft Azure or Google Cloud Platform (GCP) environments.
- Can allow organizations to deploy faster and provide scalability
- Reduces upfront infrastructure costs, giving companies potential cost savings and efficiencies
The Cons
- Too much focus on cloud and not enough on the SDLC, could make it more likely that a vulnerability is missed.
- There is the possibility of adopting certain cloud services resulting in a vendor lock-in, making future migration a challenge.
- Organizations may also experience limited control over underlying infrastructure in the cloud, which must be considered within a CDLC strategy and plan.
- Storing important data in the cloud may result in additional measures to protect sensitive information.
Will we ever see OPDLC?!
At the other end of the security spectrum, it almost makes you wonder if OPDLC will be the next acronym (On-Premise Development Lifecycle - don’t worry, we made it up). Especially when you could argue that there are considerations related to local infrastructure, hardware provisioning, security measures specific to on-premise systems, and the absence of certain cloud-related stages like migration. These need different treatment to a CDLC.
And although many organizations are making strides in cloud computing or digital transformation, the same level of progress isn’t always feasible for industries with complicated legacy systems, such as financial services. We aren’t condoning a backwards-focused approach to security, but not all companies are just operating with cloud technology - or able to implement it at the same speed.
Best practices for your SDLC, CDLC or any other Product Lifecycle!
Whichever acronym you choose, or use, the most important part is that you are tailoring your security techniques, testing, deployment and mitigation processes, based upon what you’ve got and the means in which you can plan and optimize. Are you focusing on security by design and a DevSecOps mindset? Take a look at this guide from Snyk for their Top 10 SDLC Best Practices1
1. Shift mindsets to DevSecops
2. Keep security requirements current
3. Threat modeling
4. Secure design requirements
5. Use open source securely
6. Code reviews
7. Pen testing
8. Manage potential vulnerabilities
9. Incident response planning
10. Setup a security champions program
Many of these top ten still apply for cloud environments too, especially threat modeling. Whereby you can create a view of your cloud architecture and identify potential vulnerabilities and risks associated.
Can Threat Modeling support CDLC practices?
The short answer? Absolutely! At IriusRisk, we are able to directly import Cloud Orchestration Tools you may already be using, and our Threat Modeling Tool itself, allows you to create your architecture using GCP, Microsoft Azure and AWS cloud environments. Learn about our Infrastructure as Code capability here.
Conclusion
So we’ve taken a look at the Cloud (Software) Development Lifecycle and the Software Development Lifecycle. Ultimately, it is down to your company, industry, and its unique compliance and security needs, to decide which is best for you. Perhaps you use a combination of both, and are dedicated to a view of continuous security and learning.
Whatever you choose, if you feel like you could share your experiences to teach others, head over to Threat Modeling Connect, where you can freely contribute to forums and articles with other like minded professionals. Let’s all help each other to make the world secure by design.