ISO/IEC 27001 Control 8.25: Secure development life cycle
Control
Rules for the secure development of software and systems should be established and applied.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint provides access control and policies supporting secure software development.
Implementation Details
Role-based access control (RBAC) capabilities can be used to control access to assets and tools related to software development processes and projects. Project management mechanisms can be used to make sure all software development projects have appropriate managers or owners. This approach can also be applied to source code repositories (invetorized as services or applications), making sure each active repository has an appropriate owner responsible for maintaining it. Obsolete source code repositories and abandoned software development projects can be clearly marked using midPoint object lifecycle techniques. Policy rules, such as segregation of duties (SoD) rules, can be used to set up governance policies over repositories and environments. E.g. SoD rules can be used to segregate development, testing and administration roles.
Implementation Notes
-
This is an "umbrella" control, providing overview of the software development life cycle, listing other controls that provide more details.
-
Source code repositories can be represented by services (service objects) in midPoint.
Rationale
MidPoint provides important capabilities for management of access to source code repositories and software development tools.