Secure development policy
Alias: Application Security Policy
Summary
The secure development policy defines rules and principles applied in software development.
The policy applies to all developers, internal and external.
Secure development practices will be established, implemented, and documented for all applications developed or purchased to include appropriate security controls to prevent unauthorized access or modification of the system or information coded or stored.
Principles
Source control
- All source code is stored in a code repository
- All checked in source code must compile without warnings
- Code should be reviewed by a peer before it can be committed to Acceptance
Development
- Developing a test plan/script is part of all user stories
- Privacy and security are part of any design
- Developers should be aware of common threats and vulnerabilities (through initiatives as https://www.owasp.org/index.php/Main_Page)
Libraries and frameworks
The use of libraries and frameworks is encouraged, but
- The versions should be periodically assessed for vulnerabilities
- Use the library or framework as-is, refrain from making changes (this makes updating a lot more complicated, and it may pose licensing problems)
Updated about 1 year ago