SA-18(1) — Multiple Phases of System Development Life Cycle

Apply tamper resistance and detection measures at multiple phases of the system development lifecycle, not just at deployment. This protects the system during development, testing, shipping, and operation.

Example 1: Protect your development environment with the same rigor as production. Implement code signing so that code cannot be modified between development and deployment without detection. Use secure build pipelines that log every build step and verify build artifact integrity.

Example 2: Implement integrity verification at each handoff point: from development to testing (signed builds), from testing to staging (verified artifacts), from staging to production (hash verification). Any integrity failure at any stage stops the deployment and triggers an investigation.