I nf o r m a ti o n Technology Department
Document





Application Development& Code Review Procedure Page  1


Application Development & Code Review Procedure





H i sto r Log
Date
Author

Ve rs i on

Da t e

Author
1.0
1 st November 2017
Information Dynamics
1.1
26 th   2019
Shibin
1.2
29 th  December 2019
Shibin
1.3
24 th  December 2020
Shibin



















I nf o r m a ti o n Technology Department
Procedure Document





Application Development& Code Review Procedure Page  2


1. Scope
scope be applicable to all activities under scope statement of Information Dynamics.
This   document   represents   Information   Dynamics   Software   Development   Policy.   This   standard  must   be   referred   to   by   the   in   house   application   development   teams   or   the   external   service  providers development or integration of the application for the Information Dynamics.
ISO 27001:2013 Domain Reference: A.14 – System Acquisition Development and Maintenance

ISO 27001:2013 Reference

A.14.1.1

Information security and specification
A.14.1.2
Securing application services on public networks

A.14.2.1

Secure development policy
A.14.2.2
System change control procedures

A.14.2.3

Technical review of applications after operating platform changes
A.14.2.4
Restrictions on changes to software packages

A.14.2.5

Secure engineering principles
A.14.2.6
Secure Development Environment

A.14.2.8

System Security Testing
A.14.2.9
System Acceptance Testing


























2. General Guidelines
2.1 The   ISO   12207   standard   must   be   referred   by   the   in   house   application   development   teams  or   the   external   service   providers   while   development   or   integration   of   the   application   for  the Information Dynamics.
2.2 The   development   and   operational   environments   should   be   different   physical  environments,   configured   and   located.   Testing   takes   place   in   the   development  environment   itself.   The   test   environment   simulates   the   operational   environment   with  exception that live credit card data is not used.
2.3 All   development   tools   should   be   only   accessible   within   the   development   environment.  Operational   software   is   only   transferred   from   the   test   environment   to   the   operational  environment after completion of system testing.
2.4 Test   data   and   accounts   like   custom   application   accounts,   usernames   and/or   passwords  should be removed before a production system active. 
I nf o r m a ti o n Department
Procedure Document





Application Development& Code Review Procedure Page  3


2.5 All   the   changes   (including   security   patches,   system   and   software   configuration   changes)  to   the   applications   must   undergo   testing   by   developers   and   UAT   before   deployed   into  production.
2.6 Code   reviews   should   be   performed   for   new   codes   and   after   every   change   and   should   be  reviewed   by   the   independent   internal   team   knowledgeable   in   source   coding   (other   than  the   programming   team)   before   release   to   production   systems   after   management   approval.  This is applicable internal as well as web applications.
2.7 Operational   databases   containing   personal   information   should   not   be   used   for   testing   of  operational software.
2.8 Test   data   should   be   generated   internally   by   the   developers   as   per   the   business  requirements.
2.9 Change   control   document   must   be   used   for   every   change   in   all   the   applications   and   must  document following into it:
2.9.1 Customer impact
2.9.2 sign-off
2.9.3 functionality testing
2.9.4 Back-out procedures
2.10 The   developers   must   follow   the   Application   Security   Standard   document   while  developing/ the applications.
2.11 Any change to the source code is prohibited without the prior approval of the  Information the Application Owner.
2.12 must be implemented on the related procedure that outlines the  steps and approvals to be obtained.
2.13 code changes to be reviewed in accordance with the secure coding practices  (e.g. input validation, and other secure coding methodologies per business  requirements) and by the knowledgeable code reviewers other than the author of the code. 
2.14 Along with the OWASP Top 10 or SANS TOP 25; the vulnerabilities ranked as HIGH  as per the RISK RANKING should also be included in the Code Review.
2.15 All the changes to source code to be tested in the test environment for any  corrections before it is released to the production environment.
2.16 All changes being made to the production environment must have management 
I nf o r m a ti o n Technology Department
Procedure Document





Application Development& Code Review Procedure Page  4


approval. 
Documentation
NA