Scope
The application security policy aims to maintain the security of our own applications throughout all the development life cycle being development, maintained and distributed across our organization.
Development team
The responsibility of the development team is mainly to ensure that our software is secure by following industry standard security practices including
- Develop using Secure coding practices such as input validation, output encoding, parameterized queries to prevent XSS, CSRF or SQL Injection
- Ensuring that their development environment is secure
- The main production environment should only be controlled by authorized personnel. In this case on the CTO has access to the main production environments and only the CTO has the permission to publish production code to the main Azure environment
- The applications should audit each and every action that has specific security concerns.
- Data encryption should be in place for sensitive data
- The main production environment such as GIT Repos or FTPs should be accessible only through the use of strong passwords being not less than 15 characters and all passwords should be randomized.
- Ensure that methods should only be called through authenticated calls and be based on a role based approach where certain users can only access their parts. No anonymous calls should be used for any call which requires someone to be authenticated
- The development team should be aware of the OWASP security policy and should follow guidelines which is set by this organization to decrease the application’s attack surface