Application Development Policy - Application Security Scope
Source code supply chain security is the process of securing the software development process to prevent unauthorized access or modification of source code. This may include measures such as code signing and digital signatures to verify the authenticity of code, as well as security controls on the build process to prevent unauthorized changes.
Source code supply chain security plays an important role in application security scope by providing a mechanism to ensure the code used in an application is trustworthy. By verifying the source code and digitally signing it, organizations can be sure that the code has not been tampered with and that it comes from a trusted source. This verification process can help to prevent malicious code from being introduced into an application, which can help to protect the confidentiality, integrity, and availability of the application.
Secure Coding – Appropriate requirements and controls must be in place to secure and protect application source code including, but not limited to, the following:
Directories or repositories containing application source code are secured from unauthorized access.
Source code is not stored on production systems when possible.
All changes to code are logged in a central version control solution and to the extent possible, should also log all access to source code files.
Access and modification access is properly assigned.
Secure Coding Standards – Developers must be trained in secure coding techniques based on best practice guidelines (i.e. OWASP guide). A secure coding standard must be utilized as part of the software development methodology. All web-based applications must be developed based on a current version of the OWASP secure code guidelines, and must account for the following:
Cross-site scripting (XSS) (validate all parameters before inclusion).
Injection flaws, particularly SQL injection (validate input to verify user data cannot modify meaning of commands and queries).
Malicious file execution (validate input to verify application does not accept file names or files from users).
Insecure direct object references (do not expose internal object references to users).
Cross-site request forgery (CSRF).
Information leakage and improper error handling (do not leak information via error messages or other means).
Broken authentication and session management (properly authenticate users and protect account credentials and session tokens).
Insecure cryptographic storage (prevent cryptographic flaws).
Insecure communications (properly encrypt all authenticated and sensitive communications).
Failure to restrict URL access (consistency enforced access control in the presentation layer and business logic for all URL’s).