Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Due diligence: Implementation of all measures and common best practice within the development, operation and quality assurance required to prevent the occurrence of new security defects.

  2. For applications with assurance class >= [HIGH]:

    1. Evidence[1] that security has been taken into account throughout the development process.

    2. A security concept that complies to the security documentation requirements specified in 5. Security within Software Development Process.

  3. Implementation of all necessary and requested security measures in order to reach a suitable level of protection, including those listed in chapter 3. Operational RequirementsSecure Operation and8. Implementation Requirements of this document.

  4. Appointment of an internal contact person for security-relevant questions.

  5. Only persons have access to the source code created on behalf of Example Inc. that are authorized and required (need to know principle).

  6. Right to audit: On its own discretion, Example Inc. is allowed to conduct security assessments of source code and applications that have been created on its behalf. The supplier will provide the required support if needed.

  7. Security vulnerabilities are to be remediated as soon as possible without extra costs when requested by Example Inc. (see relevant requirements in 2. Remediation of Vulnerabilities in Production).

  8. Security SHOULD be built into supplier agreements in order to ensure compliance with organizational requirements.

...

[1] e.g. via ISO 27001 certfication and/or or BSIMM vor Vendors (https://www.bsimm.com/about/bsimm-for-vendors)