← Module 1: Secure Software Architecture

NSWSoftware EngineeringSyllabus dot point

Inquiry Question 2: How can the security of a developed solution be evaluated?

Describe the secure development lifecycle, including threat modelling, secure coding practices, security testing and ongoing monitoring

A focused answer to the HSC Software Engineering Module 1 dot point on the SDLC. Threat modelling, secure coding standards, code review, SAST and DAST tools, penetration testing, ongoing monitoring, and the traps markers look for.

Generated by Claude OpusReviewed by Better Tuition Academy6 min answerUpdated 2026-05-20

Have a quick question? Jump to the Q&A page

What this dot point is asking

NESA wants you to describe security as an integrated part of the whole software development lifecycle, not a checkbox at the end. You need to name the stages, the activities at each stage, and the tools or techniques used.

The answer

The secure development lifecycle (SDLC) integrates security into every phase of software development. Industry frameworks (Microsoft SDL, OWASP SAMM, NIST SSDF) describe slightly different stages, but the structure is broadly:

1. Requirements and design

Threat modelling: identify what could go wrong using a framework like STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege).
Security requirements: write each threat-mitigation as a testable requirement.
Reference architectures: use patterns known to be secure (HTTPS everywhere, parameterised queries, MFA, RBAC) rather than reinventing.

2. Implementation

Secure coding standards: OWASP cheat sheets, CERT guides, language-specific guidance.
Code review: every change peer-reviewed before merge. Reviewers look for security issues alongside correctness and style.
Static Application Security Testing (SAST): automated code scanners (Semgrep, SonarQube, GitHub Advanced Security) catch common vulnerabilities and bad patterns.
Secret scanning: detect API keys or passwords committed to source control.
Dependency management: lock files, dependency scanners (Dependabot, Snyk), pin versions.

3. Testing

Unit and integration tests for security-relevant logic (authentication, authorisation, validation).
Dynamic Application Security Testing (DAST): OWASP ZAP, Burp Suite probe the running app.
Penetration testing: ethical hackers attempt real attacks. Done by external firms before major releases.
Fuzz testing: feed random or malformed inputs to find crashes and edge cases.

4. Deployment

Hardened configuration: minimal services, secure defaults, secret management (AWS Secrets Manager, HashiCorp Vault).
Infrastructure as code (IaC): reproducible builds, scanned for misconfigurations.
Signed artefacts: verify integrity of binaries and container images at deploy time.

5. Operation and monitoring

Centralised logging: capture authentication events, errors, anomalous access.
Security monitoring: a Security Information and Event Management (SIEM) system aggregates logs and runs detection rules.
Alerting and incident response: defined playbooks for common incidents (credential leak, suspected breach).
Patch management: automate dependency updates, apply OS and runtime patches promptly.
Periodic retesting: rerun the design and test stages against the live system.

Continuous, not linear

In modern practice security activities run continuously, not as a one-off audit at the end. Each pull request triggers SAST scans, dependency scans and code review. Each deploy triggers configuration checks. Each production day generates security logs that feed monitoring.

# Example: a GitHub Actions security stage
# .github/workflows/security.yml
"""
name: Security
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: SAST
        uses: github/codeql-action/analyze@v3
      - name: Dependency scan
        run: pip install pip-audit && pip-audit
      - name: Secret scan
        uses: gitleaks/gitleaks-action@v2
"""

Worked example

A team is building a new payments feature. Describe one SDLC activity per stage.

Requirements: threat model the payment flow. Tampering (price manipulated client-side) and information disclosure (card number leaked in logs) are the top threats. Requirements added: "server validates the price before charging" and "card numbers are tokenised before any logging".

Implementation: code review enforces use of the parameterised query helper. SAST in CI flags any direct SQL string concatenation.

Testing: penetration tester attempts to manipulate the price by modifying the JSON request. Test passes if the server rejects the tampered price.

Deployment: payment service keys are stored in the cloud secret manager, not in source code. The deploy pipeline rejects any commit containing strings matching the secret pattern.

Monitoring: alerts fire when refunds exceed a daily threshold (suggesting abuse) or when 3DS challenge failures spike (suggesting credential testing).

Past exam questions, worked

Real questions from past NESA papers on this dot point, with our answer explainer.

2025 HSC6 marksDescribe four stages of the secure development lifecycle and explain a specific activity that occurs at each stage.

Show worked answer →

Requirements and design: threat modelling. The team uses a framework like STRIDE to identify what could go wrong (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). Each threat is paired with a mitigation that becomes a requirement, for example "all admin endpoints require MFA" responding to spoofing.

Implementation: secure coding standards and code review. Developers follow language-specific guidance (OWASP secure coding cheat sheets) and every change is peer-reviewed before merge. Static Application Security Testing (SAST) tools like SonarQube or Semgrep scan code automatically for common vulnerabilities (SQL injection patterns, hardcoded secrets, weak crypto).

Testing: dynamic security testing. Dynamic Application Security Testing (DAST) tools like OWASP ZAP exercise the running app and probe for vulnerabilities. Penetration testing - hiring an ethical hacker to attempt to break in - covers issues that automated tools cannot find. Dependency scanning runs against the build pipeline to flag vulnerable libraries.

Deployment and monitoring: ongoing observation. Centralised logs capture authentication attempts, errors, and access patterns. Alerting catches anomalies (a thousand failed logins per minute, unusual outbound traffic). Patch management keeps third-party components updated. Periodic re-testing repeats earlier security checks against the live system.

Markers reward all four stages named correctly, a concrete activity at each (not just "do security"), and recognising that security is continuous, not a one-off audit at the end.