METHOD OF INTEGRATION OF CYBERSECURITY REQUIREMENTS INTO THE SOFTWARE DEVELOPMENT LIFECYCLE
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1184Keywords:
cybersecurity; software development life cycle; SDLC; DevSecOps; threat modeling; security; cybersecurity requirements.Abstract
In modern conditions, it is important not only to develop software to protect information systems and data, but also to integrate security functions (cybersecurity) into the phases of the software development life cycle. In view of this, the work formalized in a general form the well-known models of the software development life cycle and formed a unified SDLC model. Also, a method for integrating cybersecurity requirements into the SDLC was developed, which allows integrating cybersecurity requirements into a specific phase (pipeline) of the software development life cycle in accordance with the DevSecOps model, and also allows for formal optimization of the choice of cybersecurity controls depending on the system context and resource constraints. The results obtained can be used for the systematic integration of cybersecurity requirements (according to regulatory documents ISO/IEC, NIST, PCI DSS, PSD2, GDPR, MITRE ATT&CK) into software development processes in organizations that create or operate critical infrastructure information systems, cloud services, and corporate information and communication systems.
Downloads
References
Moiseienko, V. M., & Antonenko, S. V. (2025). Research on the use of AI in the software development lifecycle. Actual Problems of Automation and Information Technologies, 29, 293–305.
Delembovskyi, M., Markevych, M., & Korniichuk, B. (2024). Review of cybersecurity audit methodologies for compliance with standards. Pidvodni Tekhnolohii, 1(14), 71–74. https://doi.org/10.32347/uwt.2024.14.1206
Zhuravchak, A., & Piskozub, A. (2025). Analysis of machine learning methods for automating penetration testing. Cybersecurity: Education, Science, Technique, 3(27), 54–62. https://doi.org/10.28925/2663-4023.2025.27.711
Saini, J., & Bansal, A. (2024). Automated penetration testing: Machine learning approach. In Symposium on Computing Intelligent Systems (SCI) (Vol. 3682, pp. 113–125).
Foros, A. V. (2009). Information security as a component of national security of Ukraine. Pravova Derzhava, 11, 222–226.
Khari, M., Vaishali, & Kumar, P. (2016). Embedding security in software development lifecycle (SDLC). In 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom) (pp. 2182–2186).
IT Notes. (n.d.). Software development lifecycle (SDLC). https://www.it-notes.wiki/other/software-development-lifecycle
Manjeti, V., Penumajji, S., Patlolla, S., et al. (2025). Enhancing security in SDLC with DevOps tools and practices. In 2025 International Conference on Next Generation of Green Information and Emerging Technologies (GIET) (pp. 1–5). https://doi.org/10.1109/GIET65294.2025.11234805
Bhardwaj, A., Anugula, P., et al. (2025). Zero trust CI/CD pipeline: A blueprint for secure software delivery in modern DevSecOps. In 2025 IEEE Uttar Pradesh Section WIE International Conference (pp. 233–237). https://doi.org/10.1109/UPWIECON67212.2025.11390387
International Organization for Standardization. (2022). ISO/IEC 27001:2022—Information security management systems—Requirements.
National Institute of Standards and Technology. (2020). Security and privacy controls for information systems and organizations (NIST SP 800-53 Rev. 5). https://doi.org/10.6028/NIST.SP.800-53r5
Hancock, S. (2025). PCI DSS version 4.0.1: A guide to the payment card industry data security standard. Packt Publishing.
Wodo, W., & Stygar, D. (2021). PSD2-compliant hardware token for digital banking. In 62nd International Scientific Conference on Information Technology and Management Science (ITMS) (pp. 1–6).
IT Governance Privacy Team. (2025). EU General Data Protection Regulation (GDPR): An implementation and compliance guide. Packt Publishing.
Tsai, W., Luo, J.-N., & Chou, C.-L. (2025). Integrating tree structures with the MITRE ATT&CK framework for APT detection. In 2025 9th International Conference on Cryptography, Security and Privacy (CSP) (pp. 139–143). https://doi.org/10.1109/CSP66295.2025.00031
TechnologyAdvice. (n.d.). What is waterfall project management? https://technologyadvice.com/blog/project-management/what-is-waterfall-project-management
Teaching Agile. (n.d.). V-model in software development. https://teachingagile.com/sdlc/models/v-model
Guru99. (n.d.). Incremental model in SDLC. https://www.guru99.com/what-is-incremental-model-in-sdlc-advantages-disadvantages.html
Teaching Agile. (n.d.). Spiral model. https://teachingagile.com/sdlc/models/spiral
InterviewBit. (n.d.). Agile model. https://www.interviewbit.com/blog/agile-model
BETSOL. (n.d.). What is DevOps? https://www.betsol.com/blog/what-is-devops
Skurativskyi, A. (2025). Method for managing cybersecurity requirements in software implementation in business. Information Security, 3, 145–162.
Seol, J., Deuja, J., et al. (2025). A quantitative study across the CIA triad and performance in blockchain-based crypto-space. In 2025 7th International Conference on Blockchain Computing and Applications (BCCA) (pp. 161–168). https://doi.org/10.1109/BCCA66705.2025.11229817
Kharchenko, V., Korchenko, O., & Hnatiuk, S. (2017). Multilevel data model for compliance with cybersecurity regulatory requirements in civil aviation. Information Protection, 19(1), 95–104. https://doi.org/10.18372/2410-7840.19.11499
Raj, G., Singh, D., & Bansal, A. (2014). Analysis for security implementation in SDLC. In 2014 5th International Conference – Confluence (pp. 221-226). https://doi.org/10.1109/CONFLUENCE.2014.6949376
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Сергій Гнатюк, Заріна Побережна, Анатолій Скуратівський
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
