Software security is an essential requirement for software systems. However, recent investigation indicates that many software development methodologies do not explicitly include methods for incorporating information security into the software development life cycles (SDLC). This research investigates, using case study, the methodologies being used in software development in Saudi Arabia and describes a model for integrating security into the SDLC. The aim is to identify the appropriate means of introducing security measures much earlier in the SDLC. This model is designed to be an extension to the existing SDLC. For achieving the research objectives and answering the research questions, the research followed a case study research design in an information‐based organization. The research identified various important elements as security standards, policies, processes being practiced, and tools used within SDLC projects. In this regard, recommendations and verification were gathered to elicit the actual activities that are appropriate to be conducted at each phase of SDLC. The non‐functional security requirements were also found, to the use of fortify and hp alm for source code review and web application testing. Copyright © 2016 John Wiley & Sons, Ltd.