Versions Compared

Old Version 4

changes.mady.by.user Matthias Rohr

Saved on

compared with

New Version 5

changes.mady.by.user Matthias Rohr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following requirements are relevant for technical secrets (e.g. passwords of technical users, API keys, credentials or private keys) used either in production or that are generally used to protect access to sensitive systems or data:

  1. Secrets MUST be encrypted when stored separated from with the source or program code and outside of the source code management system (e.g. Git(otherwise they need to be separated from it).

  2. Access to secrets MUST be restricted.

  3. For assurance class >= [HIGH]

    1. Secrets

    SHOULD

    1. MUST be stored in a secure secret store (vault) or keystore

    implementation. For assurance class >= HIGH these systems MUST be used.Secrets used for encrypting sensitive data

    1. )

    2. Secrets MUST be stored encrypted

    3. Secrets SHOULD be rotated at least

    once

    1. one per year

    .Secrets of applications with assurance class >= [HIGH] MUST be stored encrypted

    1. .