Establish and maintain a secure application development process. In the process, address such items
as: secure application design standards, secure coding practices, developer training, vulnerability
management, security of third-party code, and application security testing procedures. Review and
update documentation annually, or when significant enterprise changes occur that could impact
this Safeguard.
The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.
The safe development policy may include e.g. the following things:
Compliance with the rules of secure development may also be required of key partners.
The organization shall define and implement a Secure Software Development Life Cycle (SSDLC) process in software development.
The first step in the SSDLC process should be to define security requirements that ensure that security considerations become integrated into the services being developed right from the creation phase.
It is recommended that the SSDLC process include at least the following steps:
The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.