7. Outsourced Development

The following requirements relate to contractors that implement applications on behalf of Example Inc. and in addition all other requirements of this document if applicable (e.g. protection of source code). Supplies MUST comply with the following requirements:

1. Due diligence: Implementation of all measures and common best practice within the development, operation and quality assurance required to prevent the occurrence of new security defects.

2. For applications with assurance class >= [HIGH]:

   1. Evidence^[1] that security has been taken into account throughout the development process.

   2. A security concept that complies to the security documentation requirements specified in https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98338.

3. Implementation of all necessary and requested security measures in order to reach a suitable level of protection, including those listed in chapter https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305 andhttps://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360467 of this document.

4. Appointment of an internal contact person for security-relevant questions.

5. Only persons have access to the source code created on behalf of Example Inc. that are authorized and required (need to know principle).

6. Right to audit: On its own discretion, Example Inc. is allowed to conduct security assessments of source code and applications that have been created on its behalf. The supplier will provide the required support if needed.

7. Security vulnerabilities are to be remediated as soon as possible without extra costs when requested by Example Inc. (see relevant requirements in ).

8. Security SHOULD be built into supplier agreements in order to ensure compliance with organizational requirements.

[1] e.g. via ISO 27001 certfication and/or BSIMM vor Vendors (https://www.bsimm.com/about/bsimm-for-vendors)