2.3 KiB
| tags | |
|---|---|
|
8.25 Secure development life cycle
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection |
Control
Rules for the secure development of software and systems should be established and applied. Purpose
To ensure information security is designed and implemented within the secure development life cycle of software and systems.
Guidance
Secure development is a requirement to build up a secure service, architecture, software and system. To achieve this, the following aspects should be considered:
a) separation of development, test and production environments (see >8.31>);
b) guidance on the security in the software development life cycle:
1) security in the software development methodology (see >8.28and >8.27>);
2) secure coding guidelines for each programming language used (see >8.28>);
c) security requirements in the specification and design phase (see >5.8>);
d) security checkpoints in projects (see >5.8>);
e) system and security testing, such as regression testing, code scan and penetration tests (see >8.29>);
f) secure repositories for source code and configuration (see >8.4and >8.9>);
g) security in the version control (see >8.32>);
h) required application security knowledge and training (see >8.28>);
i) dev elopers’ capability for preventing, finding and fixing vulnerabilities (see >8.28>);
j) licensing requirements and alternatives to ensure cost-effective solutions while avoiding future licensing issues (See >5.32>).
If development is outsourced, the organization should obtain assurance that the supplier complies with the organization’s rules for secure development (see >8.30>).
Other information
Development can also take place inside applications, such as office applications, scripting, browsers and databases.