OSA Life Cycle

The OSA community has not yet decided on the primary reference model in terms of SDLC (Solution/System/Software Development Life Cycle).

The main requirements that influence the choice of the SDLC reference model are:

  • The model must have (at least and extension that offers) an adequate covering of security controls.
  • The model must be publicly available (without costly corporate membership rates)
  • The model must be used across several industries/countries
  • The model must NOT be driven/owned by a single company (e.g. vendor)

The currently considered models are:
  • ISO/IEC 15288, System Life Cycle Processes
  • IEEE STD 1220, Application and Management of the Systems Engineering Process
  • ISO/IEC 21827, Systems Security Engineering Capability Maturity Model (SSE-CMM)
  • ITIL
  • COBIT

The above listed models represent a very wide range of model types and hence it maybe difficult to compare against each other.

Please contribute your experience in the corresponding discussion in the OSA discussion forum.

The definition for the term SDLC framework is (as listed also in the glossary page): An SDLC framework defines on a high abstraction level which processes are needed to achieve a given set of system qualities. It hence also defines the actors and puts the SDLC processes into the context of related processes (like project management, architectural governance, etc).