Security Development Lifecycle (SDL) at Bilibili: Implementation, Data Lifecycle Security, and DevSecOps

The article introduces the concept of the Security Development Lifecycle (SDL), describing its origin in 2004 at Microsoft as a systematic approach to embed security activities throughout all software development phases, thereby reducing vulnerabilities.

SDL consists of seven core activities—security training, security requirements, secure design, secure development, security testing, secure release, and security response—illustrated in Figure 1.

In 2020, Bilibili’s security team began applying the SDL model, dividing the effort into two stages: establishing security capabilities and integrating security processes into the existing development workflow.

Security Capability Implementation

The team introduced specific security practices for each development stage, including security awareness training, baseline security requirements, threat modeling, secure coding guidelines, third‑party component scanning, interactive application security scanning, continuous dynamic application security scanning, and HIDS/WAF coverage.

Security Process Integration

To embed SDL into Bilibili’s development pipeline, the team assigned security Business Partners (BPs) to key business lines, conducted regular security training, added QA nodes to internal workflow and service management platforms, and established periodic communication mechanisms with developers.

After more than a year of practice, a prototype of the SDL model was demonstrated (Figure 2).

Data Lifecycle Security

With new data protection regulations, SDL was extended to cover data lifecycle security, encompassing data collection, transmission, storage, processing, sharing, and destruction. The organization introduced data classification and grading, API and database classification, and enforced encryption for high‑sensitivity data (Figures 3 and 4).

From SDL to DevSecOps

The article reflects on challenges of scaling SDL across a large organization, such as resource constraints and workflow friction, and proposes DevSecOps as a more seamless, automated alternative. DevSecOps integrates security tools into CI/CD pipelines, aiming for “security‑in‑the‑flow” without sacrificing developer efficiency.

DAST & Vulnerability Management

Dynamic Application Security Testing (DAST) is highlighted as a low‑impact yet high‑accuracy method for detecting runtime vulnerabilities. Bilibili’s self‑developed DAST system, Sibyl, performs URL scanning, application scanning, and baseline scanning (Figure 5), feeding results into a custom vulnerability management platform.

The vulnerability management platform tracks issues through five states—pending review, pending fix, pending retest, fixed, and ignored—and provides reporting on metrics such as fix rate and remediation time (Figure 6 and 7).

Conclusion

The author shares personal experience of building application security from scratch at Bilibili, emphasizing the importance of integrating security capabilities with business development, the ongoing work in data lifecycle security, and future directions for combining DevSecOps with SDL.