Security in development and support processes

Objective: To maintain the security of application system software and information.

Project and support environments should be strictly controlled.

Change control procedures

Formal change control procedures should be enforced.

Technical review of applications after operating system changes

The impact of operating system changes should be reviewed and tested to ensure that there is no adverse impact on operation or security.

Restrictions on changes to software packages

Modifications to software packages should be discouraged. Any essential changes should be strictly controlled.

Information leakage

Where covert channels or Trojan code are a concern the software should be thoroughly inspected and tested before use and taking measures to reduce Trojan code will reduce the likelihood of covert channels..

Outsourced software development

Where software development is outsourced it should be closely monitored, fully tested and subject to an appropriate contract.