Security and risk activities are placed into four phases. There are many different development methodologies and each one has a different phase taxonomy. The OpenSDL uses a minimum set of generic phases that should cover most if not all development methodologies.
- Inception - before creation begins
- Iteration - one or more times
- Release - each time something is produced but not necessarily put into production
- External - actions that are outside the iteration, may be in parallel
Each phases has the exhaustive list of activities. Every project may not use every activity. It will depend on the nature of the project.
The most important aspect of the OpenSDL is that is forms a checklist for the users. A reminder is very important since if we don't remember to do something we will never get it accomplished. If we chose to ignore what we know that is a different issue.
The initial activities are based on the OpenSAMM. Each one of those activities has a maturity level label attached to it with L1 being the lowest and L3 being the highest.