The planning stage is where the stakeholders in any given software project meet to brainstorm what the software should do. It is important that the stakeholders have an awareness of security issues and access controls so that the project does not begin with an inherently insecure concept.

During the planning stage, high-level requirements are defined, and an initial project plan is worked out. At this stage, the project plan will not be very fleshed out, except for plans for the requirements analysis stage.

Once the high-level goals for a software project are defined, those goals need to be translated into formal requirements. Formal requirements list each of the major functions of the software product as well as its inputs and outputs.

The deliverables for this stage will be a formal requirement document and an updated project plan. At this stage, areas that should be considered from a security point of view, such as user authentication and authorization, should be noted.

Once formal requirements have been laid out, system architects and software engineers can begin to design the low-level functions that will make up the final product. At this stage, specific access control measures should be designed into the software.

At the end of the software design phase, all the major questions surrounding the implementation of the product should be answered.

During the development phase, programmers write and test the actual code that makes up a piece of software. This is the stage where security features are implemented and sometimes flaws or weaknesses make their way into the final product. To prevent unintended security flaws, unit testing should be done continuously throughout the development stage.

In the testing and integration phase, the finished software should undergo full system integration testing to ensure that all of the pieces of the software work together properly. The software must also be tested to ensure that it works well with the rest of the system—the operating system, other applications, and back-end database. The primary goal during this phase is to make sure the new software doesn’t break any existing system.

During this phase, the system should also undergo load testing, which measures how the software will perform with an average number of users, as well as how it will perform under extreme load conditions. For example, if the organization estimates that 50 users will use the access control system concurrently, it should be load tested with 50 users, 100 users, or even 190 users. This proves that the system can handle both an average load and double or triple that load. Load testing is normally performed using specialized load testing packages that simulate the activity of normal users. If an organization does not use load testing often enough to justify purchasing and configuring a load testing system, it is possible to obtain load testing services from consulting firms as needed.

During the release and training phase, the software is deployed to production servers, and employees are trained on how to use it. This is an important opportunity to educate them on the importance of security and access controls in their workday.

The support phase of any software project is where most security flaws come out. When the software is in production and being used every day, weaknesses and flaws will begin to surface. During the support phase, you will begin the cycle again as you plan for upgrades and security patches. Although upgrades and patches will not have the same scope as the initial development, they still follow the same basic software life cycle.