421.5 Installation and maintenance

Overview

The final stage of the Secure Software Development Lifecycle (SSDL) involves installing the software into its production environment and maintaining it over time. This stage ensures that the system is correctly deployed, accessible to users, and continuously supported to remain secure and reliable.

Secure installation and maintenance are often overlooked, yet they are critical to preventing vulnerabilities from being introduced after development. This includes configuring access rights, managing updates, and responding to issues as they emerge in use.

Targets

In this topic, students learn to:

• Identify common installation and deployment practices

• Evaluate how configuration affects software security

• Describe strategies for secure maintenance and updates

• Understand how ongoing support ensures system resilience

Syllabus references

Installation methods

Software can be installed using a variety of deployment methods, each with implications for security and usability:

• Direct installation – The software is deployed in full and replaces the old version

• Phased installation – Parts of the system are installed gradually

• Parallel installation – The new system runs alongside the old system to verify correctness

• Pilot installation – The software is released to a small group of users for real-world testing before full deployment

In secure systems, installation must include:

• Verification of the software build (e.g. checksums, digital signatures)

• Removal of default passwords, test data, or unused services

• Configuration of secure settings, access controls, and logging

Secure deployment practices

Before final release, developers should:

• Perform final vulnerability scanning and penetration testing

• Use scripts or automation tools to reduce human error during setup

• Ensure that the environment (e.g. servers, databases) is hardened and patched

• Document the deployment process for traceability and repeatability

Maintenance activities

Software maintenance ensures long-term system security and performance. It includes:

• Bug fixing: Responding to errors discovered after release

• Security patching: Updating software to fix vulnerabilities

• Feature updates: Adding new capabilities while preserving system integrity

• Monitoring and auditing: Using logs and alerts to detect suspicious activity

• User support: Responding to help requests or usability issues

Importance of ongoing security

Security is not a “set and forget” task. Threats evolve, users make mistakes, and systems change. Maintenance must be proactive and documented.

Best practices include:

• Scheduling regular software updates and backup procedures

• Reviewing user access levels periodically

• Retiring outdated components and libraries

• Using monitoring tools to detect anomalies in real time

Outcome of this phase

By the end of the installation and maintenance phase, the software should:

• Be correctly deployed in a secure configuration

• Be monitored and supported to ensure continued compliance with functional and security requirements

• Have a documented update plan and support structure

• Be resilient to emerging threats through proactive maintenance