Versions Compared

Old Version 1

changes.mady.by.user Bruno Belizario

Saved on

compared with

New Version Current

changes.mady.by.user Bruno Belizario

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version

1.0

Owner

Head of Engineering

CTO

Last Updated On

Last Updated by

Bruno Belizario

Approved by

Sean Oldfield

Last Review

Purpose

Ensure that information security is designed and implemented within the development lifecycle for applications and information systems.

...

Changes to systems within the development lifecycle shall be controlled using formal change control procedures. Change control procedures and requirements are described in the ecoPortal Operations Security Policy.

Significant code changes must be reviewed and approved by Tech Lead before being merged into any production branch in accordance with the Check-In Process found here: <link to process outline in company wiki>.

Change control procedures shall ensure that the development, testing, and deployment of changes shall not be performed by a single individual without approval and oversight.

...

At a minimum, the following secure-by-design and privacy-by-design  principles shall be applied:

  1. Secure-by-design principles:

  2. Minimize attack surface area

  3. Establish secure defaults

  4. The principle of Least privilege

  5. The principle of defense in depth

  6. Fail securely

  7. Don’t trust services

  8. Separation of duties

  9. Avoid security by obscurity

  10. Keep security simple

Fix security issues correctly Privacy-by-design principles:

  1. Proactive, not Reactive; Preventative not Remedial

  2. Privacy as the Default Setting

  3. Privacy Embedded into Design

  4. Full Functionality – Positive-Sum, not Zero-Sum

  5. End-to-End Security – Full Lifecycle Protection

  6. Visibility and Transparency – Keep it Open

  7. Respect for User Privacy – Keep it User-Centric

Engineering documentation and technical references can be found in the Trello Board for Developer Onboarding.

...

The acquisition of third-party systems and software shall be done in accordance with the requirements of the ecoPortal Third-Party Management Policy.

Developer Training

Software developers shall be provided with secure development training appropriate to their role at least annually. Training content shall be determined by management but shall address the prevention of common web application attacks and vulnerabilities. The following threats and vulnerabilities should be addressed as appropriate:

...