MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

E. Software Development

This domain covers the security controls you have implemented during the development of your IT applications.

00) Does your organisation develop any applications or systems that collect, process, or store data on behalf of clients?

Answer yes if your organisation develops or programs any applications that are used to collect, process, or store data on behalf of clients.

Software Development
Scoping
Read more

01) Does your organisation control access to program source code in a secure manner?

Answer yes if your organisation controls access to its application source code. This is typically done by using a code repository with robust access controls implemented, including maintaining an audit log of all access.

Software Development
Source Code Access Control
Read more

02) Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input?

Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Please describe your SDLC process in the notes, highlighting any security input, or provide a supporting document (as a PDF) as evidence.

Software Development
Secure SDLC
Software Development Lifecycle
Read more

03) Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)?

Answer yes if your organisation's developers are instructed to build applications and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Please state in the notes the best practise guidance followed and if your developers receive any additional security training.

Software Development
Security Best Practice
OWASP
Read more

04) Does your organisation validate all data inputs and outputs to and from its applications?

Answer yes if your organisation ensures that all of its applications have data validation implemented on their data inputs and outputs.

Software Development
Data Validation
Read more

05) Does your organisation conduct threat modelling during the design phase of an application or system build?

Answer yes if your organisation conducts threat modelling when designing each application or system. Please state in the notes how threat modelling is integrated into your SDLC or provide a supporting document (for example, a template threat modelling report as a PDF file) as evidence.

Software Development
Threat Modelling
Read more

06) Do all of your organisation's applications and systems use industry best practice for authentication, including storing all user passwords as appropriate hashes?

Answer yes if your organisation ensures that all of its applications and systems (that are developed/built in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text.

Software Development
Authentication Best Practice
Read more

07) Does your organisation conduct appropriate security testing as part of your development lifecycle?

Answer yes if your organisation performs security testing of all applications & systems during the build process. Please describe the security testing performed which could include, but is not limited to Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Infrastructure security testing.

Read more

08) Does your organisation segregate development environments from any testing or production environments?

Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).

Software Development
Environment Segregation
Testing
Development
Read more

09) Does your organisation use dummy test data when undergoing testing of systems (and not live production data)?

Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, please state the reason why and whether or not you have any other mitigating controls in place.

Software Development
Test Data
Read more

10) Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches?

Answer yes if your organisation produces or receives regular security updates for any applications it develops and hosts, and that it ensures all applications procured from vendors are also supported with regular security patches.

Software Development
Security Patches
Read more

11) Does your organisation conduct regular penetration tests of any applications or systems that it develops?

Answer yes if your organisation conducts regular penetration tests of any applications or systems that it develops and remediates the findings. Please state how often penetration tests take place in the notes section.

Software Development
Web Application Pentest
Penetration Testing
Read more

12) Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops?

Answer yes if your organisation ensures that any applications or systems developed have appropriate logging mechanisms implemented (for example, as defined by OWASP, the Open Web Application Security Project).

Software Development
Logging
Read more