Purpose and Scope
This document outlines rules for secure development of software and systems for our flag ship product FileHound. It applies to all services, architecture, software, and systems under our Information Security Management System (ISMS) and personal data processing activities. All Element3 employees involved in software development and maintenance of FileHound must adhere to this policy.
Secure Development and Maintenance
Risk Assessment for the Development Process
In addition to standard company Risk Assessments, Solutions Architects & DevOps Engineers must periodically assess risks related to unauthorised access and changes to all development environments, technical vulnerabilities of IT infrastructure systems used at FileHound, and risks associated with any new technologies used in the organisation.
Securing the Development Environment
All development projects must follow an agile design, build, and maintain methodology. Code management processes must be robust and use only company-vetted tools and services. During the development phase, vulnerability scanning and penetration testing must be conducted to identify and remediate potential security weaknesses.
All FileHound pre-production development and production environments must be separated by either physical or virtual servers that are managed and maintained by the Senior DevOps Engineer and Solutions Architect. All developer, test, and production environments must be securely backed up following internal backup procedures.
Secure Engineering Principles
The Solutions Architect will establish procedures for secure information system engineering for new and existing FileHound systems, and set minimum security standards that must be followed by all FileHound developers and technical employees.
Secure Coding Practices
All developers must adhere to secure coding practices to ensure that vulnerabilities are not introduced in the development process. Developers must be trained in secure coding principles, such as input validation, error handling, and secure configuration. Solutions Architects must review the code for security issues before release.
Security Requirements
Security requirements for each FileHound project must be documented by Solutions Architects under the Security Requirements Specification section of the new or modified systems documentation.
Data Encryption
Sensitive data must be properly encrypted during transmission and storage. All encryption keys must be securely managed and protected. The use of encryption protocols and standards must follow industry best practices.
Security Requirements Related to Public Networks
Solutions Architects are responsible for defining security controls for application services passing over public networks, including authentication systems, confidentiality and integrity of information, and non-repudiation of actions. Controls for online transactions must include preventing incomplete data transmission, unauthorised message alteration, unauthorised message duplication, and unauthorised data disclosure.
Checking and Testing Security Requirements Implementation
Solutions Architect must define the methodology, responsibilities, and timing for checking whether all security requirements from the Security Requirements Specification and customer contract agreements have been met and whether the system is acceptable for production.
Code Management
To ensure effective source code management, Git must be used for all projects, and our internal GitHub hosting service must be utilised. All GitHub source code access must be authorised by the Solutions Architect to prevent unauthorised access. Access to authorised users must be enforced through multi-factor authentication (MFA) accounts to guarantee the highest level of security. This approach will help us maintain the integrity and confidentiality of our source code, prevent unauthorised changes or breaches, and protect our customers' data.
Version Control
All new FileHound development projects and releases must follow a semantic versioning methodology that is reviewed periodically for compliance by Product Managers and Solutions Architects.
Change Control
Changes in development and system maintenance must comply with the Change Management Policy and Security Procedures.
Protection of Test Data
Confidential and personally identifiable data must not be used as test data, except where approved by the Senior Product Managers, in which case Solutions Architects must define how the data is protected.
Security Training for All Employees
All employees who work on FileHound software development and maintenance must receive regular security training to ensure that they are aware of the latest threats and best practices. The training program must include topics such as password management, social engineering, and phishing.
Managing Records Kept Based on This Document
Record Name | Storage Location | Person Responsible for Storage | Controls for Record Protection | Retention Time |
|---|---|---|---|---|
List of risks related to development process | Company Documentation Portal | Product Manager & Project Lead | Only project members and senior managers can access | 3 years for lists that are no longer valid |
Security Requirements Specification | Company Documentation Portal | Solutions Architect | Only project members and senior managers can access | 3 years for lists that are no longer valid |
Procedures for secure information system eng... | Company Documentation Portal | DevOps Engineer | Only project members and senior managers can access | 3 years for procedures that are no longer valid |
Testing plans | Company Documentation Portal | Product Manager. & Project Lead | Only project members and senior managers can access | 3 years for tests that have been performed |
Validity and Document Management
The Senior FileHound Product Manager is responsible for this document and must review and update it at least once a year. The effectiveness and adequacy of this document must be evaluated based on the number of incidents arising from failed security controls built into the systems.
Review of this Policy
This Secure Development Policy will be under regular review, and any updates will be placed on the FileHound knowledge base. The last review of this policy was conducted in April 2023.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article