Securing access to the dev environment:
Access to development systems (incl. and build and deployment systems) MUST be sufficiently protected.
Access to development environment MUST be restricted.
Remote access to development systems MUST only be possible via a secure VPN connection and multi-factor authentication (MFA).
Protection of source and program code:
Access to sensitive source and program code (code that is run in production, containing PII or other sensitive information or business logic) MUST be restricted to authorized users and and revoked as soon as this user does not need it anymore (e.g. leaves the team). This includes authentication and authorization of access to cloud accounts, code repositories (e.g. SVN or Git), build systems (e.g. Jenkins or TFS), Wikis and other resources such as file systems.
Sensitive source and program code MUST NOT be made available to others outside of
(e.g. within internet forums) without explicit clearance of the relevant IT security function.
Status title Example Inc.
The code repository SHOULD be periodically scanned for exposed secrets (e.g. X.509 private keys or API keys).
Source code repositories SHOULD be regularly scanned for discloused disclosed secrets (e.g. X.509 private keys or API keys).
Use of trusted reposiroties repositories and 3rd party dependencies (see https://secodis.atlassian.net/wiki/pages/resumedraft.action?draftId=98338 )