Cloud Security Principle 7: Secure development

Serviceteam IT Security News

Goals

You should be confident that:

  • New and evolving threats are reviewed and the service improved in line with them.
  • Development is carried out in line with industry good practice regarding secure design, coding, testing and deployment.
  • Configuration management processes are in place to ensure the integrity of the solution through development, testing and deployment. 

Implementation – Secure development

Approach

Description

Guidance

Engineering approaches consider security as an important factor

The service provider asserts that they implement a number of controls to ensure the security of their service.

In this scenario you will need to carry out your own assessment of whether the controls in place are appropriate.

Engineering approach adheres to a secure development standard or recognised good practice

A number of security standards or good practice guides exist which service providers could claim support their achievement of the goals outlined above. These include: 

It’s reassuring that the service provider claims to implement one of these standards, but without independent confirmation of that you will need to make a judgement on whether that gives you sufficient confidence in whether all parts of the system are securely engineered.  

Independent review of engineering approach against recognised secure development standard

A number of security standards with supporting certification mechanisms exist which could be used to demonstrate conformance with the goals outlined above. These include: 

It’s advisable to check that any certification has been performed by an appropriately independent and recognised party and that the scope of the assessment included the incident management aspects required.

Additional notes – Secure development requirements

Secure development does not mean that all development must be done in-house, at secure facilities or by highly vetted personnel. Whilst these approaches may be appropriate for specialised components, it will often be better to choose mature, independently supported, off the shelf components.

Security should be considered throughout the design and development of the service. For example, during development of new features, potential attacks should be evaluated and effective mitigations designed to address them. Care must be taken to balance security, cost and usability.

Service providers should ensure when they purchase services, software components or development services from third parties, that the development practices of the supplier are suitably secure. This should be achieved through an established supply chain process (see below).

< last principle   next principle >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Bugs in Logitech Harmony Hub Put Connected IoT Devices at ‘High Risk’
Serviceteam IT Security News Jira security review
Serviceteam IT Security News Revamped Nukebot Malware Changes Targets, Adds Functions
Serviceteam IT Security News Automated Bots Growing Tool For Hackers
Serviceteam IT Security News Telstra sorry for publishing up to 130,000 customers’ details online
Serviceteam IT Security News Google’s secret cache of medical data includes names and full details of millions – whistleblower