+DEV-01 Policies for the Development/Procurement of System Components
---+DEV-01.01B
---+DEV-01.02B
---+DEV-01.03B
---+DEV-01.01AC
|
1. Übersicht
DEV-01 Policies for the Development/Procurement of System Components
-
| Bezeichnung |
Standard |
|
DEV-01.01B
|
Policies and procedures with technical and organisational measures for the secure development of system components of the cloud service are documented, communicated and provided in accordance with SP-01.
The policies and procedures contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects:
1. Security and quality in software development (requirements, design, implementation, testing and verification), including the existence of a security by design principle, enforcing the consideration of information security requirements in the software development phase;
2. Security and quality in software deployment (including continuous delivery);
3. Security and quality in operation (reaction to identified faults and vulnerabilities); and
4. Secure coding standards and practices (reduction of vulnerabilities being introduced to the code).
The software provision can be carried out e.g. with Continuous Delivery methods.
Accepted standards and methods for secure development are, for example:
1. ISO/IEC 27034; and
2. OWASP Secure Software Development Lifecycle (S-SDLC).
Minimisation of customer data access during operation can be supported by following robust security models, such as Zero Trust, during cloud architecture development. Furthermore, aspects such as limiting data interfaces, API calls and access as well as ensuring end-to-end-encryption from transit to storage are relevant considerations.
For quality assurance in software development, the following can be considered to be relevant processes:
1. Planning and definition of quality objectives: Definition of quality requirements based on customer needs and objectives, taking into account the requirements of the cloud system to be developed;
2. Design phase: Carrying out design reviews and inspections of the cloud service to ensure that the design meets the quality requirements;
3. Development phase: Use of code reviews and pair programming to ensure code quality. Use of static analysis tools to check the code for potential errors and violations of coding standards;
4. Testing phase: Execution (automated where possible) of various types of tests (e.g. unit tests, integration tests, system tests, acceptance tests) to ensure the functionality and quality of the software;
5. Integration and continuous integration (CI): Integration of the various software components and continuous checking of the integrations through automated builds and tests. Use of CI/CD pipelines to ensure that the code is regularly integrated and tested;
6. Release and deployment: Preparation and implementation of the software release in accordance with defined quality standards; and
7. Maintenance and continuous improvement: Monitoring the software in operation to ensure that it continues to meet the quality requirements. This includes post release activities such as bug fixing and performance optimisation processes. Additionally, post-mortem analyses should be performed to learn from incidents and optimise processes for future releases.
An accepted standard and a method for quality in development processes is, for example, Google Site Reliability Engineering (SRE).
The scope of the DEV criteria and the requirements within includes not only the development of software applications but also platforms, virtual infrastructure, and other system components.
|
|
DEV-01.02B
|
Guidelines for the secure development of the cloud service define principles to ensure the system architecture and software operated by the cloud service provider within the production environment are designed in such a way that access to cloud service customer data by the cloud service provider is minimised wherever possible.
|
|
DEV-01.03B
|
The cloud service provider defines measures to enforce the specified standards and guidelines as part of the policies and procedures for the secure development of system components of the cloud service.
|
|
DEV-01.01AC
|
In procurement, products are preferred which have been certified according to the 'Common Criteria for Information Technology Security Evaluation' (short: Common Criteria - CC) Evaluation Assurance Level EAL 4. If non-certified products are to be procured instead of available certified products, a risk assessment is carried out in accordance with OIS-07.
The software provision can be carried out e.g. with Continuous Delivery methods.
Accepted standards and methods for secure development are, for example:
1. ISO/IEC 27034; and
2. OWASP Secure Software Development Lifecycle (S-SDLC).
Minimisation of customer data access during operation can be supported by following robust security models, such as Zero Trust, during cloud architecture development. Furthermore, aspects such as limiting data interfaces, API calls and access as well as ensuring end-to-end-encryption from transit to storage are relevant considerations.
For quality assurance in software development, the following can be considered to be relevant processes:
1. Planning and definition of quality objectives: Definition of quality requirements based on customer needs and objectives, taking into account the requirements of the cloud system to be developed;
2. Design phase: Carrying out design reviews and inspections of the cloud service to ensure that the design meets the quality requirements;
3. Development phase: Use of code reviews and pair programming to ensure code quality. Use of static analysis tools to check the code for potential errors and violations of coding standards;
4. Testing phase: Execution (automated where possible) of various types of tests (e.g. unit tests, integration tests, system tests, acceptance tests) to ensure the functionality and quality of the software;
5. Integration and continuous integration (CI): Integration of the various software components and continuous checking of the integrations through automated builds and tests. Use of CI/CD pipelines to ensure that the code is regularly integrated and tested;
6. Release and deployment: Preparation and implementation of the software release in accordance with defined quality standards; and
7. Maintenance and continuous improvement: Monitoring the software in operation to ensure that it continues to meet the quality requirements. This includes post release activities such as bug fixing and performance optimisation processes. Additionally, post-mortem analyses should be performed to learn from incidents and optimise processes for future releases.
An accepted standard and a method for quality in development processes is, for example, Google Site Reliability Engineering (SRE).
The scope of the DEV criteria and the requirements within includes not only the development of software applications but also platforms, virtual infrastructure, and other system components.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|