Application Development Policy Page 1
Application Development Policy
Document Summary
Item
Value
Organization
Information Dynamics
Document Name
Application Development Policy
Classification
Internal
Compliance Reference To:
ISO 27001:2013
Document Revision History
Date
Version
Prepared By
1
st
November 2018
1.1
Information Dynamics
10
th
June 2019
1.2
Information Dynamics
29th Dec 2019
1.3
Added ISO 27001 Controls reference
24
th
Dec 2020
1.4
Review of policy
24
th
Dec 2021
1.5
Review of policy
Document Review History
Reviewed By
Version
Signature
Shibin
1.3
Shibin
1.4
Shibin
1.5
Application Development Policy Page 2
1. Purpose
The purpose of this policy is to define the security controls to be implemented in the application
development environment.
ISO27001:2013 Domain Reference: A.14 System Acquisition Development and Maintenance
ISO 27001:2013 Reference
A.14.1.1
Information security requirements analysis and specification
A.14.1.2
Securing application services on public networks
A.14.2.1
Secure development policy
A.14.2.2
System change control procedures
A.14.2.3
Technical review of applications after operating platform changes
A.14.2.4
Restrictions on changes to software packages
A.14.2.5
Secure system engineering principles
A.14.2.6
Secure Development Environment
A.14.2.8
System Security Testing
A.14.2.9
System Acceptance Testing
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of Information
Dynamics.
3. Policy Controls
Information Security requirements need to be gathered during the initial phase of the project.
Security requirements shall be implemented in all architecture layers( business data, applications
and technology). New technology should be analysed for risks prior to development.
There must be separate Development, Test and Production environments
There must be proper and defined segregation of duties between personnel assigned to
development/ test environment and personnel assigned to production environment.
Production data (e.g.: live PANs) must not used for testing and development, or must be sanitized
before use.
Test data and accounts must be removed before a production system becomes active.
Application Development Policy Page 3
Custom application accounts, usernames and/or passwords must be removed before system goes
into production or is released to customers.
Access to source code needs to be provided on a need to know basis only.
Access to source code shall be reviewed as per the access control policy
Custom Code reviews must be performed by individuals other then originating code author prior
to release to production or customers in order to identify any potential coding vulnerability.
Code reviews for custom software development, as part of the System Development Life Cycle
(SDLC) can be conducted by internal personnel.
Code reviews must be assessed from a security perspective to ensure there are no backdoors or
malicious code added.
Change control procedures must be followed for all system and software configuration changes.
For each change there must be management sign-off by appropriate parties.
Operational functionality testing must be performed for each change.
Back-out procedure must be defined for each change.
All web applications must be developed based on secure coding guidelines such as the Open Web
Application Security Project Guidelines. This is to prevent common coding vulnerabilities in
software development processes.
All web-facing applications must be protected against known attacks by either of the following
methods:
Having all custom application code reviewed for common vulnerabilities by an
organization that specializes in application security or
Installing an application-layer firewall in front of web-facing applications.