At my local university, there is a small student computing club of about 20 students. The club has several small teams with specific areas of focus, such as mobile development, robotics, game development, and hacking / security.

I am introducing some basic agile development concepts to a couple of the teams, such as user stories, estimating complexity of tasks, and continuous integration for version control and automated builds/testing.

I am familiar with some basic development life-cycles, such as waterfall, spiral, RUP, agile, etc., but I am wondering if there is such a thing as a software development life-cycle for hacking / breaching security. Surely, hackers are writing computer code, but what is the life-cycle of that code? I don't think that they would be too concerned with maintenance, as once the breach has been found and patched, the code that exploited that breach is useless.

I imagine the life-cycle would be something like:

1. Find gap in security
2. Exploit gap in security
3. Procure payload
4. Utilize payload

I propose the following questions:

• What kind of formal definitions (if any) are there for the development life-cycle of software when the purpose of the product is to breach security?