SPLC means Secure Product Lifecycle. It is a framework for managing product security throughout the whole life cycle, from the first planning discussions to retirement. It is close to the Software Development Lifecycle (SDLC), but it is broader: the SDLC explains how software is designed, built, tested, and delivered; the SPLC explains how a product stays secure before, during, and after that delivery work.
If you are here for the quick difference: SDLC is about building software, while SPLC is about securing the product over time. A secure SDLC can be one part of an SPLC, but it does not cover everything alone.
SPLC in One Sentence
SPLC is the security lifecycle around a product: define security requirements, design controls, implement them, verify them, release safely, and retire the product without leaving exposed systems or data behind.
SPLC Phases
The SPLC has six phases:
- Planning: The product team defines the security requirements and design objectives for the product. This includes identifying potential threats and vulnerabilities, as well as determining how to mitigate them. A security plan is created that outlines the steps to be taken throughout the product's life cycle.
- Design: The product team designs the product's security features and mechanisms. This includes selecting the appropriate security technologies and implementing them in the product's design. The goal is to ensure security is integrated into every aspect of the product from the start.
- Implementation: The product team builds the product according to the security design. This includes writing code, testing the product, and integrating it with other systems. The goal is to ensure the product is secure and functions as intended.
- Verification: The product team verifies that the product meets the security requirements and design objectives. This includes testing security features and conducting a security audit to identify potential vulnerabilities. The goal is to ensure the product is secure and ready for release.
- Release: The product is released to the market and made available to customers. This phase also involves providing ongoing support and maintenance, including security updates and patches.
- Retirement: The product reaches the end of its life cycle and is retired. This involves decommissioning the product, disposing of it securely, and transferring any remaining assets or data to a new product.
Example of the SPLC steps (without Retirement): Inventonus
SPLC vs SDLC: The Practical Differences
The SPLC and SDLC are similar in many ways, but there are also key differences. The main difference is the focus: the SDLC focuses on the development of software, while the SPLC focuses on the security of a product. This means the SPLC includes additional phases such as planning and verification that are not present in the SDLC. The SPLC also puts a greater emphasis on security throughout the entire life cycle, while the SDLC focuses mainly on the development phase.
Another difference is the level of detail and rigor. The SPLC is a more detailed process, involving more phases and more thorough security testing. This is necessary because the security of a product is critical to its success; any vulnerabilities or weaknesses can have serious consequences.
Where to Start
You do not need a perfect process to start using SPLC ideas. A useful first step is to make product security explicit in places where it is often implicit:
- Add security requirements during product planning, not only during implementation.
- Review product design before development starts, especially authentication, authorization, data flows, and external integrations.
- Keep verification and retirement in the scope: a product is not only secure when it ships, it also needs updates, monitoring, and a clean end-of-life path.
For more information about SPLC and SDLC:
- Secure Product Lifecycle Management (Inventonus)
- Systems development life cycle (Wikipedia)
- Secure SDLC 101 (Synopsys)