4. Secure Development Environment

  1. Securing access to the dev environment:

    1. Access to development systems (incl. and build and deployment systems) MUST be sufficiently protected.

    2. Access to development environment MUST be restricted.

    3. Remote access to development systems MUST only be possible via a secure VPN connection and multi-factor authentication (MFA).

  2. Protection of source and program code:

    1. Access to sensitive source and program code (code that is run in production, containing PII or other sensitive information or business logic) MUST be restricted to authorized users and revoked as soon as this user does not need it anymore (e.g. leaves the team). This includes authentication and authorization of access to cloud accounts, code repositories (e.g. SVN or Git), build systems (e.g. Jenkins or TFS), Wikis and other resources such as file systems.

    2. Sensitive source and program code MUST NOT be made available to others outside of Example Inc. (e.g. within internet forums) without explicit clearance of the relevant IT security function.

    3. The code repository SHOULD be periodically scanned for exposed secrets (e.g. X.509 private keys or API keys).

    4. Source code repositories SHOULD be regularly scanned for disclosed secrets (e.g. X.509 private keys or API keys).

  3. Use of trusted repositories and 3rd party dependencies (see https://secodis.atlassian.net/wiki/pages/resumedraft.action?draftId=98338 )