MetaSEnD: A Security Enabled Development Life Cycle Meta-Model

The growing adoption of IT infrastructures determined a high heterogeneity of software systems. As matter of fact, the software is prone to vulnerabilities and cybersecurity problems, which are challenging to manage during the software lifecycle. The situation is further compounded by the growing demand for rapid application development and the widespread diffusion of Agile methodologies and the DevOps culture. This process promotes collaboration within and between the different groups involved in software development. In recent years there has been a spread of new or adapted security-oriented methodologies providing different approaches to identify security problems in the early stages of the software development life cycle (SDLC), thus reducing the costs for the security assessment. SecDevOps is just an example of the integration and promotion of security aspects in DevOps organizations. While these methodologies help to produce more reliable software, on other hand they are difficult to integrate into standard or customized SDLC, or with design evaluation and risk management methodologies. This work analyzes the state of the art and aims at identifying the main activities in a Secure Software Development Life Cycle (SSDLC), by proposing a new secure software development lifecycle meta-model (MetaSEnD). MetaSEnD has also been applied in a continuous integration pipeline of a sample microservices application.