Skip to main content

Development Security Standard

Source basis

Ported from policies/Core 12 Security Policy - Development Security Standards.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.

Development Projects

  • All new projects have a completed Risk Assessment. Any changes to the project require a review of the completed Risk Assessment.

  • As part of the Risk Assessment all new projects need a security review to be completed and logged as an IT System.

Development Code / Framework / Libraries

  • All development frameworks and languages must be approved by the ISO prior to being used in a project.

  • All approved frameworks/libraries must be maintained and audited for security issues by version.

  • Source code must be stored in Core 12, LLC repositories. No customer data or passwords to production environments can be stored in repositories.

  • File servers containing Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.

Development Environments

  • All client data must be stored separately from other clients and Core 12, LLC data.

  • All applications that require a staging environment must adhere to the following:

  • No live / production data can be stored in a staging / test environment unless it is a hardened production device.

  • Staging environments must be on separate infrastructure from local environments, both server and network.

  • All production data for systems must be stored in separate databases with no shared user access controls between them.

  • Production data cannot be accessed directly by client's system controls and interfaces must be created to export the data or manual export request.

  • No production environments have development tools or other applications that are not required.

  • All production environments must log critical events and user activities.

  • All environments must use separate profiles / accounts for access and operation.

  • All environments must utilize encryption during transfer and at rest.

  • All production updates to applications will be scanned for vulnerabilities before being released.

Monitoring and Site Maintenance

  • All applications must be monitored for uptime and any logged application errors.

  • All application source code, operating systems, and hardware must be updated on a regular basis.

  • All applications and environments must have vulnerability scans completed on a regular basis. Critical and High vulnerabilities are remediated within 30 days.