cdpse-d2-infrastructure-secure-development-life-cycle

Secure Development Life Cycle

isaca-cdpse · framework · Production-ready

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Secure Development Life Cycle

A Secure Development Life Cycle (Secure SDLC) is a software development methodology that embeds privacy and security controls at every phase of product creation—from requirements gathering through retirement—rather than treating them as post-deployment additions. It extends the traditional SDLC (Requirements → Design → Build → Test → Deploy → Maintain) by inserting privacy impact assessments, threat modeling, secure coding standards, automated security testing, and compliance verification at each phase gate. In the ISACA CDPSE context, Secure SDLC means that privacy requirements—data minimization, consent management, retention enforcement, breach notification—are first-class engineering requirements, not documentation afterthoughts.

Where it stops · what it isn't

—IS: A repeatable, phase-by-phase process for building privacy and security into software products from inception to retirement.
—IS: A governance framework that bridges business privacy obligations (GDPR, HIPAA, PCI DSS) with technical implementation decisions.
—IS: A set of activities spanning people (training, roles), processes (phase gates, reviews, threat modeling), and tools (SAST, DAST, SCA, secrets management).
—IS NOT: A one-time security audit or penetration test conducted only before deployment.
—IS NOT: A substitute for an incident response plan—Secure SDLC reduces breach likelihood but does not replace response capability.
—IS NOT: Exclusively a developer responsibility—it requires involvement from privacy officers, product managers, architects, QA, and operations.
—IS NOT: Equivalent to DevOps or Agile methodology—Secure SDLC is a security and privacy overlay applicable to any development methodology (waterfall, Agile, DevSecOps).

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Architecture — Infrastructure (ISACA CDPSE Domain 2)

REQUIRES

Privacy Requirements Specification (data classification, retention, consent)Threat Modeling (STRIDE, PASTA, DFD)

ENABLES

Privacy-by-Design implementation in production systemsRegulatory compliance (GDPR Art. 25, HIPAA safeguards, PCI DSS v4.0 Req. 6)DevSecOps automation (CI/CD pipeline security integration)

RELATED TO

API Security (CDPSE Infrastructure)Encryption at Rest and in Transit (CDPSE Infrastructure)Identity and Access Management (CDPSE Infrastructure)

CONSTRAINS

Feature development velocity (security gates add review time)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.