This domain covers the security controls you have implemented during the development of your IT applications.
Answer yes if your organisation develops any applications that are used to collect, process, or store data on behalf of clients.
Answer yes if your organisation controls access to its application source code. This is typically done by using a code repository with robust access controls implemented.
Answer yes if your organisation has implemented a secure SDLC (Software Development Lifecycle) that includes a security risk assessment. Please describe your SDLC process in the notes, highlighting any security input, or provide a supporting document (as a PDF) as evidence.
Answer yes if your organisation's developers are instructed to develop applications using security best practice (as defined by OWASP, The Open Web Application Security Project). Please state in the notes if your developers receive any additional security training.
Answer yes if your organisation ensures that all of its applications have data validation implemented on their data inputs and outputs.
Answer yes if your organisation conducts threat modelling when designing each application or system. Please state in the notes how threat modelling is integrated into your SDLC or provide a supporting document (for example, a template threat modelling report as a PDF file) as evidence.
Answer yes if your organisation ensures that all of its applications (that are developed in-house) use industry best practice for authentication, and that all passwords are stored as hashes using secure hashing algorithms rather than as plain text.
Answer yes if your organisation uses segregated environments for the development of applications, the testing of applications, and the hosting of production systems that handle live data. Please state in the notes the nature of the segregation (logical/physical).
Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, please state the reason why and whether or not you have any other mitigating controls in place.
Answer yes if your organisation produces or receives regular security updates for any applications it develops and hosts, and that it ensures all applications procured from vendors are also supported with regular security patches.
Answer yes if your organisation conducts regular application penetration tests of any applications that it develops and remediates the findings. Please state how often applications are pentested in the notes section.
Answer yes if your organisation ensures that any applications developed have appropriate logging mechanisms implemented as defined by OWASP, the Open Web Application Security Project.