Software Development Life Cycle

Risk in Software Development Life Cycle

A Software Development Life Cycle (SDLC) is a series of steps or processes that are undertaken to develop a software product. In general, the activities or processes include gathering the requirements, design, implementation, testing, documenting and maintenance. The exact process depends to a large extent on the SDLC model used.

One of the important aspects of any SDLC model is risk management because it protects the information, software product as well as the external data from a possible theft, vulnerability or loss. Risk is the negative impact that any action has on the software product in terms of its vulnerability, frequency of occurrence and the potential of harm or destruction. It is easier to prevent risk rather than fix it and this is why risk management is a vital component of any product's SDLC.

Risk Management Activities

The primary objective of risk management is to help the software product to perform its functions by better securing the information and functions associated with it. Risk management encompasses assessment of risk, mitigation of risk and a constant evaluation to ensure that risk levels are low. It is performed during every phase of SDLC in an iterative manner.

During the initiation or gathering of requirements phase, risks pertaining to security are identified and addressed. The risks identified during the first stage is incorporated into the design and implementation phase to ensure that the architecture of the product has no room for vulnerability. These risk management activities are documented and are routinely looked into during testing and maintenance phases to mitigate its negative effects.

Risk Reduction Strategies

Numerous risk reduction strategies are employed by IT companies today. One of the popular ones is to use the Spiral model of SDLC. This method uses an iterative process to develop the product and this means, risk is assessed and addressed during every iteration. Risk analysis is a cornerstone of this model and this is why many companies prefer this model as a risk reduction strategy.

Other risk reduction strategies include system characterization, identification of the possible vulnerabilities, threat determination, impact analysis of the risk and recommendations for control. In system characterization, the boundaries of the system with respect to its hardware, software, users and information is identified. Based on this information, appropriate system boundaries and functions are put in place so that the system does not crash due to a vulnerability or data is not used by unauthorized personnel.

The second strategy is to identify the possible vulnerability by analyzing past system crashes and attacks. This strategy also includes a detailed analysis for identifying potential vulnerabilities that can occur in the future such as a virus attack or hacking. This helps the developing team to assess the likely areas of risk and take the steps necessary to plug in these holes.