What type of code are you talking about?

There are many security tools used in the process of hacking, including scanners like nmap, sqlmap, Nessus and many others. I would imagine they have the same type of software life-cycles like any other applications.

On the other hand, there are exploit codes. Codes written to take advantage of a very specific exploit & situation. I very much doubt those need any life-cycle at all. However, many exploit codes are also integrated with a larger exploitation framework like Metasploit.

After a discussion with @AviD, I would like to add in a few points.

It will be very different for specific situations.

Some exploit codes might be rushed out to take into account the window before the zero-day is patched. Code might be rushed out for other reasons as well. See: CRIME – How to beat the BEAST successor? for a great example of this. A person wrote a piece of PoC code to quickly prove his point. No software lifecycle methodology is taken into account for codes like this.

Weaponized malware like stuxnet or FLAME probably do. Packaged software like Metasploit do.

So the right answer is… it depends.

I don’t see why there should be any specifically different development life-cycle depending on the purpose of the product.

Software that is developed to breach security can have as long a life as any other type of software and will require the same amount of maintenance and work.

Different creators of such software will adopt different life-cycles depending on their needs.

The development models that you specify are just that – development models. They are extremely useful when you are doing engineering development – when you have requirements, when you have to create or modify system architectures or component designs, when you need to build or modify a product and associated tests, and when you release to a customer.

I’m not sure that these models can be directly applied to more research-oriented projects, where you are trying to answer questions or learn more about a system (or the system’s security weaknesses, in your particular case).

I would suspect that the iterative/incremental models, such as the agile methods and the Spiral model would be the most useful to form a basis. In each iteration, you can work toward answering questions or defining more parameters to work with, which might or might not include writing any code. Perhaps various scientific research methods might also provide an interesting foundation.

Hacking has recently seen a strong professionalization, away from single hackers doing it “for the lulz” or to gain fame, towards collaboration between specialists with the goal of making money. The result have been fully-fledged commercial “hacking kits” like the Blackhole exploit kit where specific software weaknesses can be easily integrated like plugins. I’d assume that such products are developed pretty much exactly like any other software products.

There is also apparently a developing market for zero-day exploits.

Life-Cyle is never code dependent. It is rather dependent upon other factors like:

1. Time
2. Budget
3. Nature of Customer
4. Nature of Product

In your scenario, the Agile Life Cyle methodology would be most useful. Reason being that you need to involve your customer during development and have to verify the acceptable quality parameters of your product. Agile Methodology would help you immensely to improve your Hacking Software via gathering your customer’s feedback and then gradually working on incremental basis.