Information Technology Department
Procedure Document
Application Development& Code Review Procedure Page 1
Application Development & Code Review Procedure
History Log
Date
Author
Version
Date
Author
1.0
1
st
November 2017
Information Dynamics
1.1
26
th
January 2019
Shibin
1.2
29
th
December 2019
Shibin
1.3
24
th
December 2020
Shibin
1.4
24
th
December 2021
Shibin
Information Technology Department
Procedure Document
Application Development& Code Review Procedure Page 2
1. Scope
The scope will be applicable to all activities under the scope statement of Information Dynamics.
This document represents Information Dynamics Software Development Policy. This standard
must be referred to by the in house application development teams or the external service
providers while development or integration of the application for the Information Dynamics.
ISO 27001:2013 Domain Reference: A.14 System Acquisition Development and Maintenance
ISO 27001:2013 Reference
Information security requirements analysis and specification
Securing application services on public networks
Secure development policy
System change control procedures
Technical review of applications after operating platform changes
Restrictions on changes to software packages
Secure system engineering principles
Secure Development Environment
System Security Testing
System Acceptance Testing
2. General Guidelines
2.1 The ISO 12207 standard must be referred by the in house application development teams
or the external service providers while development or integration of the application for
the Information Dynamics.
2.2 The development and operational environments should be different physical
environments, configured and located. Testing takes place in the development
environment itself. The test environment simulates the operational environment with
exception that live credit card data is not used.
2.3 All development tools should be only accessible within the development environment.
Operational software is only transferred from the test environment to the operational
environment after completion of the system testing.
2.4 Test data and accounts like custom application accounts, usernames and/or passwords
should be removed before a production system becomes active.
Information Technology Department
Procedure Document
Application Development& Code Review Procedure Page 3
2.5 All the changes (including security patches, system and software configuration changes)
to the applications must undergo testing by developers and UAT before deployed into
production.
2.6 Code reviews should be performed for new codes and after every change and should be
reviewed by the independent internal team knowledgeable in source coding (other than
the programming team) before release to production systems after management approval.
This is applicable for internal as well as web applications.
2.7 Operational databases containing personal information should not be used for testing of
operational software.
2.8 Test data should be generated internally by the developers as per the business
requirements.
2.9 Change control document must be used for every change in all the applications and must
document following into it:
2.9.1 Customer impact
2.9.2 Management sign-off
2.9.3 Operational functionality testing
2.9.4 Back-out procedures
2.10 The developers must follow the Application Security Standard document while
developing/modifying the applications.
2.11 Any change to the source code is prohibited without the prior approval of the
Information Owner and the Application Owner.
2.12 Changes must be implemented based on the related SDLC procedure that outlines the
steps and necessary approvals to be obtained.
2.13 Source code changes are to be reviewed in accordance with the secure coding practices
(e.g. OWASP input validation, and other secure coding methodologies as per business
requirements) and by the knowledgeable code reviewers other than the author of the code.
2.14 Along with the OWASP Top 10 or SANS TOP 25; the vulnerabilities ranked as HIGH
as per the RISK RANKING should also be included in the Test Cases.
2.15 All the changes to the source code are to be tested in the test environment for any
corrections before it is released to the production environment.
2.16 All changes being made to the production environment must have management
Information Technology Department
Procedure Document
Application Development& Code Review Procedure Page 4
approval.
Associated Documentation
NA