Secure Software Development Lifecycle (SDLC)
From Idea to Operations (Secure SDLC)
EventLinx uses a Secure Software Development Lifecycle (SDLC) so that security and privacy are part of the system from the beginning rather than something added later. Every feature follows the same general path, starting from planning and ending in ongoing operation and maintenance.
Work begins with understanding what needs to be built, then moves into design where structure and security requirements are defined. After that, developers build the feature, testing is done to find issues early, and only then is the change approved for release. Once released, the system continues to be monitored and maintained.
Security requirements such as access control, authentication, and privacy handling are included from the design stage so they become part of how the system is built rather than something added later. This approach follows common industry SDLC practices, including guidance from frameworks like NIST.
Changing live systems (Change Management)
Any modification to the system is handled through a controlled change process. This is done so updates do not introduce unnecessary risk or break existing functionality.
Some changes are small and routine, such as documentation updates, while others involve system behavior or infrastructure and require review before they are allowed. High urgency fixes, such as security patches, can move faster, but they are still tracked and reviewed after they are applied.
| Change type | Examples | Approval | Outcome |
|---|---|---|---|
| Standard | Documentation updates | Pre-approved | Logged |
| Normal | Feature or config changes | IT approval / review | Tested before release |
| Emergency | Security fix or incident patch | Fast approval path | Post-review required |
Once a change is requested, it goes through a simple flow where it is reviewed for risk, approved if needed, implemented, tested, and then documented. Even emergency changes follow this structure so there is always a record of what was done and why.
Purpose
The purpose of this lifecycle is to keep changes safe, predictable, and controlled. It ensures that security is considered from the start, that risks are checked before anything is released, and that changes can always be traced if something needs to be reviewed later.
It also helps keep production systems stable by reducing unexpected or unsafe changes.
Scope
This process applies to all software and system changes within EventLinx. This includes application features, infrastructure configuration, security settings, and updates to supporting systems. Documentation changes are also included, but they are usually simpler because they do not affect system behavior in the same way.
Third-party services and integrations are included when changes affect how data flows or how access is handled between systems.
People involved
Different roles take part in the process depending on the type of change. Management provides oversight and approves higher-risk changes. Developers are responsible for building and testing features. System administrators handle deployment and system configuration. Security roles review changes to make sure risks are properly managed.
In more complex or higher-risk situations, additional approval may come from a change advisory group.
All staff are expected to follow the process and ensure changes are properly submitted and tracked.
Documentation in the process
Documentation is handled as part of the same lifecycle. Updates still go through review and tracking, but they are usually simpler because they do not impact core system behavior. Even so, documentation changes are recorded so there is a clear history of what was updated and when.
Records and privacy
All changes are recorded so the organization can track what was changed, when it was changed, and who approved it. This includes change requests, approvals, and deployment records.
If a change involves personal information, it must also follow privacy requirements under PIPEDA principles to ensure data is handled properly and safely.