Episode 63: System Development Life Cycle (SDLC) Essentials
Welcome to The Bare Metal Cyber CRISC Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
The system development life cycle is a structured process used to plan, build, deploy, and maintain technology systems. Each phase of the SDLC provides an opportunity to manage technical risk, apply governance, and ensure that systems are secure and resilient from the very beginning. These phases typically include planning, design, development, testing, deployment, and ongoing maintenance. CRISC professionals must understand how to integrate risk management and assurance activities into each of these phases to help prevent flaws, reduce vulnerabilities, and meet compliance standards. When the SDLC is poorly managed or not overseen by risk professionals, it can lead to major problems like insecure applications, control failures, or violations of regulatory requirements. This is why understanding how risk aligns with the SDLC is so essential for exam success and for risk-based decision-making in system development.
The SDLC may follow different models, but the underlying phases share common goals. It begins with the initiation or planning phase, where project scope, feasibility, and risk factors are defined. The next step is gathering business and technical requirements to ensure that the system will meet stakeholder needs. The design phase transforms requirements into architectural models and decisions, including how data flows and where controls must be placed. Development follows, in which code is written, configurations are built, and version control is applied to manage changes. Once built, the system enters testing, where it is evaluated for functionality, security, performance, and user acceptance. After successful testing, the implementation phase involves deployment, system monitoring, and ensuring that documentation is in place. Finally, the maintenance phase covers patches, updates, and system improvements to keep the environment secure and functional. Agile and DevOps methods use shorter cycles called sprints, but they still rely on the same core principles, just repeated iteratively. On the exam, you must understand both traditional and modern SDLC variations.
A major principle in risk-aware development is to shift risk considerations earlier in the process—this is often referred to as “shifting left.” By conducting risk assessments early in the planning and requirements phases, organizations can avoid expensive and time-consuming rework that often results from discovering problems late in the process. Security and risk professionals should be directly involved in project scoping to help define secure goals and ensure that threat modeling begins before development even starts. This early work includes identifying where controls need to be designed, what potential threats exist, and how those threats could impact data or operations. When security is added only during the testing phase or just before launch, it is usually too late to be effective. On the exam, any scenario that suggests security was a late addition should be seen as a signal that the system design process was flawed from a control perspective.
Risk requirements must be part of the core functional and design documentation to ensure that the final product aligns with business needs and security expectations. These inputs include regulatory and legal obligations, such as privacy rules or industry standards, as well as information security principles like access control, encryption requirements, and logging. These must be validated against the organization’s architecture policies and classification models. For example, if data classified as confidential is part of the system, encryption and restricted access must be built into the design. If these controls are not clearly defined early on, residual risk will increase, and the project may face audit challenges. On the exam, questions often test whether these requirements were included at the right stage. Failing to account for them in the requirements or design phase creates an environment where risk accumulates silently until deployment.
Secure development involves a set of technical practices that help reduce errors and improve system trustworthiness. These include code reviews to detect security issues and ensure quality, along with both static and dynamic application security testing. Static testing analyzes source code without running it, while dynamic testing checks for vulnerabilities during runtime. Version control systems help developers track changes and allow systems to roll back to previous versions if a new change introduces problems. Developers should be trained not only in writing code but in secure coding practices and how to comply with organizational policies. The use of approved libraries and the avoidance of outdated or unsupported components are also essential to avoid bringing in hidden risks. In CRISC scenarios, you may be asked to identify which development phase lacked the proper control, and the best answer will align with the absence of one of these practices. For example, a question about a known vulnerability introduced during deployment might point to a failure in static testing or code review.
Testing is more than checking whether the system works—it is also a time to confirm whether controls function as expected and whether the system is ready to face real-world threats. Testing should include several layers: basic functional validation to confirm that the system performs as intended, security scanning to detect weaknesses, effectiveness testing for controls, and checks for business continuity and integration with other systems. User acceptance testing must not only verify features but also ensure that security functions meet the user’s needs and comply with policy. For example, multifactor authentication or access restrictions must be validated by end users before launch. In CRISC exam questions, watch for scenarios where testing coverage was incomplete, especially in security or integration areas. A deployment that skipped final control testing or failed to validate access roles would be a clear example of poor SDLC integration.
Going live with a new system must be a controlled and well-documented event, and CRISC professionals are often involved in ensuring governance during this transition. Deployment should not occur without formal approval, a completed impact analysis, and a defined fallback plan in case the launch fails. Every change should be recorded and linked to any relevant entries in the risk register to ensure traceability and accountability. Even emergency changes must follow a documented but flexible workflow, with minimal steps that still preserve oversight. Failure to follow these steps often results in systems going live without adequate protection or backup planning. On the exam, a missing approval process or the lack of a rollback plan may indicate a failure in change governance. You should be able to recognize when proper controls were skipped and understand how that leads to elevated project-level risk exposure.
Once a system is launched, it enters the maintenance phase, which requires continuous oversight to remain secure and functional. This includes applying patches for security vulnerabilities, making configuration adjustments to optimize performance, and updating documentation as changes occur. When patches are missed or delayed, known vulnerabilities remain active in the environment, and threat actors can exploit them. Ongoing monitoring helps detect performance problems, abnormal user behavior, or indicators of misuse or abuse. Unfortunately, the maintenance phase is often overlooked once a system is considered complete. This neglect can lead to control decay, where once-effective protections gradually weaken or become irrelevant. On the exam, scenarios often present issues that stem from poor maintenance, such as unpatched systems or outdated controls. Recognizing the long-term responsibility for system care is part of managing technical risk holistically.
Risk management practices must also be adapted to modern development environments, including Agile and DevOps models. In these approaches, development is broken into short, repeatable cycles called sprints, and risk management must keep pace with the faster delivery schedule. Risk and security reviews should be part of sprint planning sessions and post-sprint retrospectives, helping teams identify potential weaknesses and adjust controls on the fly. Security-related tasks should be written into backlogs and treated like any other requirement. This approach is often called DevSecOps, where security is embedded in the development culture. Automated testing tools, continuous build pipelines, and version-controlled rollbacks can all support better control enforcement. Risk teams should avoid resisting the pace of change and instead work to adapt processes so that security and agility are not in conflict. Exam questions may ask how risk professionals should engage in fast-paced development, and the best answers will reflect integration, not obstruction.
When SDLC topics appear on the CRISC exam, they often require awareness of process timing, control placement, and traceability. A question may describe a failed project and ask what phase was skipped; the correct answer could be the design phase, the testing phase, or an early-stage risk review. You might be asked which control should have been in place to prevent a failure, with options like code review, change approval, or access limitations. Other scenarios might ask how a specific risk was introduced, and you will need to identify whether it came from using an unvetted library, a misconfigured feature, or a missed requirement. Finally, you may be asked to recommend the best approach for secure development, and the correct answer will usually involve embedding controls early and adjusting them as the project evolves. The strongest answers reflect a clear understanding of development timing, proper control integration, alignment with stakeholders, and the need for documentation at every step.
Thanks for joining us for this episode of The Bare Metal Cyber CRISC Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
