ISO/IEC 27001 Control 8.25: Secure development life cycle
Control
Rules for the secure development of software and systems should be established and applied.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
TODO
Implementation Details
Role-based access control (RBAC) capabilities can be used to control access to assets and tools related to software development processes and projects. Project management mechanisms can be used to make sure all software development projects have appropriate managers or owners. This approach can also be applied to source code repositories, making sure each active repository has appropriate owner responsible for maintaining it. Obsolete source code repositories and abandoned software development projects can be clearly marked using midPoint object lifecycle techniques.
Implementation Notes
-
This is an "umbrella" control, providing overview of the software development life cycle, listing other controls that provide more details.
-
Source code repositories can be represented by services (service objects) in midPoint.
Rationale
MidPoint provides important capabilities for management of access to source code repositories and software development tools.