Skip to content

SDLC Assessment SOP

Sub-procedure for Innovate pillar digital transformation

Overview

This sub-procedure defines the approach for assessing an organization's current software development lifecycle (SDLC) practices, identifying security gaps, and developing recommendations for implementing secure development practices. It establishes the foundation for DevSecOps transformation.

Scope

Pillar: Innovate (Digital Transformation) Service Area: Secure SDLC Related Services: Security Advisory, Application Security

Prerequisites

  • Executive sponsorship for SDLC improvement
  • Development team engagement confirmed
  • Access to development tools and documentation
  • Key stakeholder availability (Dev, Ops, Security)
  • Current development documentation (if available)
  • NDA in place for code/architecture review

Procedure

Step 1: SDLC Discovery

Objective: Understand current development practices

  1. Interview Stakeholders:
  2. Development leads and architects
  3. Operations/infrastructure team
  4. Security team (if exists)
  5. Product/project managers
  6. Document Current State:
  7. Development methodology (Agile, Waterfall, hybrid)
  8. Team structure and responsibilities
  9. Communication and collaboration tools
  10. Change management process
  11. Inventory Development Tools:
  12. Source control (Git, SVN, etc.)
  13. CI/CD platforms (Jenkins, GitHub Actions, etc.)
  14. Issue tracking (Jira, Azure DevOps, etc.)
  15. Documentation systems
  16. Development environments

Duration: 2-3 days Owner: DevSecOps Consultant

Step 2: Security Practices Assessment

Objective: Evaluate current security integration

  1. Secure Design Review:
  2. Threat modeling practices
  3. Security requirements definition
  4. Architecture review process
  5. Third-party component evaluation
  6. Secure Coding Practices:
  7. Coding standards and guidelines
  8. Security training for developers
  9. Code review process (security focus)
  10. IDE security plugins
  11. Security Testing:
  12. Static analysis (SAST) usage
  13. Dynamic analysis (DAST) usage
  14. Software composition analysis (SCA)
  15. Penetration testing frequency
  16. Deployment Security:
  17. Infrastructure as Code security
  18. Container security practices
  19. Secrets management
  20. Configuration management

Duration: 3-5 days Owner: Security Consultant

Step 3: CI/CD Pipeline Analysis

Objective: Assess automation and security integration

  1. Pipeline Architecture Review:
  2. Build process documentation
  3. Test automation coverage
  4. Deployment automation
  5. Environment management
  6. Security Gate Analysis:
  7. Pre-commit hooks (secrets, linting)
  8. Build-time security scans
  9. Pre-deployment gates
  10. Post-deployment validation
  11. Quality Metrics:
  12. Build success rates
  13. Deployment frequency
  14. Mean time to recovery (MTTR)
  15. Change failure rate

Duration: 2-3 days Owner: DevSecOps Consultant

Step 4: Maturity Assessment

Objective: Score current state against maturity model

Use OWASP SAMM or similar framework:

Practice Area Level 1 Level 2 Level 3
Governance Basic policies Defined processes Optimized, measured
Design Ad-hoc review Threat modeling Continuous validation
Development Basic coding standards Security training Automated enforcement
Verification Manual testing Automated SAST/DAST Comprehensive, integrated
Operations Basic monitoring Incident response Proactive, automated
  1. Score each practice area (1-3)
  2. Identify maturity gaps
  3. Benchmark against industry peers
  4. Define target maturity state

Duration: 2-3 days Owner: Security Consultant

Step 5: Gap Analysis and Recommendations

Objective: Develop prioritized improvement roadmap

  1. Document gaps between current and target state
  2. Prioritize gaps by:
  3. Security risk reduction
  4. Business impact
  5. Implementation complexity
  6. Resource requirements
  7. Develop recommendations:
  8. Quick wins (0-3 months)
  9. Medium-term improvements (3-6 months)
  10. Long-term transformation (6-12 months)
  11. Estimate resources and budget
  12. Identify tooling requirements
  13. Define success metrics

Duration: 2-3 days Owner: DevSecOps Consultant

Step 6: Assessment Report and Presentation

Objective: Communicate findings and recommendations

  1. Compile assessment report:
  2. Executive summary
  3. Current state assessment
  4. Maturity scorecard
  5. Gap analysis
  6. Prioritized recommendations
  7. Implementation roadmap
  8. Budget estimates
  9. Create executive presentation
  10. Present to stakeholders
  11. Address questions and refine priorities
  12. Obtain approval for next steps

Duration: 2-3 days Owner: Engagement Lead

Deliverables

Deliverable Format Owner
SDLC Current State Document Word/PDF DevSecOps Consultant
Tool Inventory Excel DevSecOps Consultant
SAMM Maturity Scorecard Excel + visualization Security Consultant
Gap Analysis Excel DevSecOps Consultant
SDLC Assessment Report Word/PDF (20-30 pages) Engagement Lead
Recommendations Roadmap Excel/Project DevSecOps Consultant
Executive Presentation PowerPoint Engagement Lead

Quality Gates

  • All key stakeholders interviewed
  • Development tools and processes documented
  • Security practices across SDLC phases assessed
  • CI/CD pipeline analyzed
  • Maturity scores validated with stakeholders
  • Gaps prioritized with risk-based rationale
  • Recommendations aligned with business objectives
  • Report reviewed by engagement manager

SDLC Security Checkpoints

Phase Security Activities
Requirements Security requirements, abuse cases, compliance needs
Design Threat modeling, security architecture review
Development Secure coding, code review, SAST
Testing DAST, SCA, penetration testing
Deployment Configuration review, secrets management
Operations Monitoring, incident response, patching

Last Updated: February 2026