Software Development Standard

Objective

Include information security in all phases and processes of software development, which includes new and enhancements to software.  Software consists of instructions and code that use programming languages in the application (e.g., end-user application, script or program to automate a production task).

A software development life cycle (SDLC) is a step-by-step methodology for designing and developing software to meet a set of requirements. Requirements are developed during the conception and design phases, implemented during the development phase, tested during the testing phase, and approved before deployment. Adherence to an SDLC can ensure software performs all necessary business operations in a secure and efficient manner and in accordance with laws and regulations.

Security Controls

Requirements & Analysis Phase of the SDLC

The following table describes information security requirements in the requirements & analysis phase.

ControlSecurity Level
IDDescription High Medium Low
SD.A.01 Document the SDLC process used by the unit Required Effective July 2019 Required Effective July 2019 Recommended
SD.A.02 Develop software in adherence with the unit’s SDLC process Required Effective July 2019 Required Effective July 2019 Recommended
SD.A.03 Document security related requirements with the functional and business requirements Required Effective July 2019 Recommended Recommended
SD.A.04 Identify and document the types of data to be stored or processed by the software Required Effective July 2019 Required Effective July 2019 Required Effective July 2019

Design Phase of the SDLC

The following table describes information security requirements in the design phase.

ControlSecurity Level
IDDescription High Medium Low
SD.B.01 Document the architecture and directional data flows of the software under development, including security controls on data at rest, in transit, and being processed Required Effective July 2019 Recommended Optional
SD.B.02 Define a dedicated (isolated) production and non-production environment Recommended1 Recommended Optional
SD.B.03 Define roles and permissions within the software Required
Effective July 2019
Required
Effective July 2019
Recommended
SD.B.04 Document a procedure for maintaining access control to program source code Required Effective July 2019 Recommended Recommended
SD.B.05 Document a decommission plan for all environments, including software obsolescence Required Effective July 2019 Recommended Recommended
SD.B.06 Document the peer review of the design and the approval to move to the next phase Required Effective July 2019 Recommended Optional

1 Required for PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Development Phase of the SDLC

The following table describes information security requirements in the development phase.

ControlSecurity Level
IDDescription High Medium Low
SD.C.01 Maintain a separate non-production environment for development Required Recommended Recommended
SD.C.02 Prevent private-highly restricted and/or private-restricted data from appearing in non-production environments unless the environment meets the same requirements as the production environment Required Required
Effective July 2019
Recommended
SD.C.03 Only use software from third party libraries or code repositories where the vendor or open source community continue to identify and remediate security vulnerabilities Required Effective July 2019 Recommended Recommended
SD.C.04 Conduct iterative manual and/or automated testing of security and functional requirements Required Effective July 2019 Recommended Recommended
SD.C.05 Follow the documented procedure for maintaining access control to program source code Required Effective July 2019 Recommended Recommended
SD.C.06 Use a version control system Required Effective July 2019 Recommended Recommended
SD.C.07 Use industry standard secure coding practices Required Effective July 2019 Recommended Recommended
SD.C.08 Follow the decommission plan for the environment after completion of the development phase Required Effective July 2019 Recommended Recommended

Testing and Quality Assurance Phase of the SDLC

The following table describes information security requirements in the testing and quality assurance phase.

ControlSecurity Level
IDDescription High Medium Low
SD.D.01 Maintain a separate non-production environment for testing and quality assurance Required
Effective July 2019
Recommended Recommended
SD.D.02 Prevent private-highly restricted and/or private-restricted data in non-production environments unless the environment meets the same requirements as the production environment Required Required
Effective July 2019
Recommended
SD.D.03 Test software against security and functional requirements Required
Effective July 2019
Recommended Recommended
SD.D.04 Conduct an independent code review to help identify potential coding vulnerabilities Recommended 1 Recommended Optional
SD.D.05 Follow the decommission plan for the environment after completion of the testing phase Required
Effective July 2019
Recommended Recommended

1 Required for PCI DSS on all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Deployment Phase of the SDLC

The following table describes information security requirements in the deployment to production phase.

ControlSecurity Level
IDDescription High Medium Low
SD.E.01 Maintain a separate production environment from non-production Required Required
Effective July 2019
Recommended
SD.E.02 Remove specialized privilege and access methods prior to deployment in the production environment Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
SD.E.03 Prohibit deployment when software does not pass security requirements in the testing phase Required Effective July 2019 Required Effective July 2019 Recommended
SD.E.04 Follow the documented procedure for maintaining access control to program source code Required Effective July 2019 Recommended Recommended

On-going Maintenance Phase of the SDLC

The following table describes information security requirements in the on-going maintenance phase of developed software.

ControlSecurity Level
IDDescription High Medium Low
SD.F.01 Monitor software and dependencies for vulnerabilities and bugs Required
Effective July 2019
Required
Effective July 2019
Recommended
SD.F.02 Document ownership for ongoing software maintenance and security controls Required
Effective July 2019
Required
Effective July 2019
Recommended
SD.F.03 Follow the documented procedure for maintaining access control to program source code Required
Effective July 2019
Recommended Recommended
SD.F.04 Periodically review and update the decommission plan for the non-production and production environments (suggest: annual) Required
Effective July 2019
Recommended Recommended

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

July 2019

Document Feedback

Notification: Please be aware that while we rarely receive these data requests, any information submitted through this comment form is public, including your name, email address and comment/question, unless you are a student.