Secure Development Policy
- Bruno Belizario
- Sean Oldfield
Version | 1.0 |
Owner | CTO |
Last Updated On | Jan 25, 2023 |
Last Updated by | @Bruno Belizario |
Approved by | @Sean Oldfield |
Last Review | Jan 25, 2024 |
Purpose
Ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
Scope
All ecoPortal applications and information systems that are business critical and/or process, store, or transmit Confidential data. This policy applies to all internal and external engineers and developers of ecoPortal software and infrastructure.
Policy
This policy describes the rules for the acquisition and development of software and systems that shall be applied to developments within the ecoPortal organization.
System Change Control Procedures
Changes to systems within the development lifecycle shall be controlled using formal change control procedures. Change control procedures and requirements are described in the ecoPortal Operations Security Policy.
Significant code changes must be reviewed and approved by Tech Lead before being merged into any production branch.
Change control procedures shall ensure that the development, testing, and deployment of changes shall not be performed by a single individual without approval and oversight.
Software Version Control
All ecoPortal software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on an employee’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository.
Technical Review of Applications after Operating Platform Changes
When operating platforms are changed, business-critical applications shall be reviewed and tested to ensure that there is no adverse impact on organizational operations or security.
Restrictions on Changes to Software Packages
Modifications to third-party business application packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.
Secure System Engineering Principles Â
Principles for engineering secure systems shall be established, documented, maintained, and applied to any information system implementation efforts.
At a minimum, the following secure-by-design and privacy-by-design principles shall be applied:
Secure-by-design principles:
Minimize attack surface area
Establish secure defaults
The principle of Least privilege
The principle of defense in depth
Fail securely
Don’t trust services
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly Privacy-by-design principles:
Proactive, not Reactive; Preventative not Remedial
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality – Positive-Sum, not Zero-Sum
End-to-End Security – Full Lifecycle Protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it User-Centric
Engineering documentation and technical references can be found in the Trello Board for Developer Onboarding.
Software developers are expected to adhere to ecoPortal’s coding standards throughout the development cycle, including standards for quality, commenting, and security.
Secure Development Environment
ecoPortal shall establish and appropriately protect environments for system development and integration efforts that cover the entire system development life cycle. The following environments shall be logically or physically segregated:
Production / Live
Staging
Beta
Pre
System Security Testing  Â
Testing of security functionality shall be performed at defined periods during the development life cycle. No code shall be deployed to ecoPortal production systems without documented, successful test results and evidence of security remediation activities.
Application Vulnerability Management
Application code should be scanned prior to deployment. Patches to address application vulnerabilities that materially impact security should be deployed within 90 days of discovery.
System Acceptance Testing
Acceptance testing programs and related criteria shall be established for new information systems, upgrades, and new versions.
Prior to deploying code, a Release Checklist MUST be completed which includes a checklist of all Test Plans which show the completion of all associated tests and remediation of identified issues.
Protection of Test Data   Â
Test data shall be selected carefully, protected, and controlled. Confidential customer data shall be protected in accordance with all contracts and commitments. Customer data shall not be used for testing purposes without the explicit permission of the data owner and the Head of Engineering.
Acquisition of Third-Party Systems and Software
The acquisition of third-party systems and software shall be done in accordance with the requirements of the ecoPortal Third-Party Management Policy.
Developer Training
Software developers shall be provided with secure development training appropriate to their role at least annually. Training content shall be determined by management but shall address the prevention of common web application attacks and vulnerabilities. The following threats and vulnerabilities should be addressed as appropriate:
prevention of authorization bypass attacks
prevention of the use of insecure session IDs
prevention of Injection attacks
prevention of cross-site scripting attacks
prevention of cross-site request forgery attacks
prevention of the use of vulnerable libraries
Exceptions
Requests for an exception to this Policy must be submitted to the Head of Engineering for approval.
Violations & Enforcement
Any known violations of this policy should be reported to the Head of Engineering. Violations of this policy can result in immediate withdrawal or suspension of the system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.