Secure Software Development Lifecycle Policy

[ORGANIZATION] shall integrate security activities into each phase of the software development lifecycle: Requirements (security requirements, threat modeling), Design (secure architecture review, security design patterns), Development (secure coding standards, peer code review), Testing (security testing, vulnerability scanning), Deployment (secure deployment procedures, configuration review), and Maintenance (patch management, ongoing monitoring).

A secure SDLC process shall be documented and communicated to all development teams.

Security requirements shall be defined for each application based on data classification and risk assessment.

Developers shall follow documented secure coding standards based on OWASP, CERT, or equivalent guidelines for their programming language.

Code shall be developed to prevent common vulnerability classes including: injection attacks (SQL, command, LDAP), cross-site scripting (XSS), cross-site request forgery (CSRF), insecure deserialization, broken authentication, and sensitive data exposure.

Third-party libraries and components shall be tracked in a software bill of materials (SBOM) and monitored for known vulnerabilities.

Hardcoded credentials, API keys, and secrets are prohibited in source code. Secrets shall be managed through approved secrets management solutions.

Static Application Security Testing (SAST) shall be integrated into the CI/CD pipeline and performed on all code before merge to the main branch.

Dynamic Application Security Testing (DAST) shall be performed on all web applications at least [CUSTOMIZE: quarterly/monthly] and before each major release.

Software composition analysis (SCA) shall be used to identify vulnerabilities in third-party components and libraries.

Penetration testing shall be performed on critical applications at least [CUSTOMIZE: annually] by qualified testers.

Security vulnerabilities identified through testing shall be remediated according to the Vulnerability Management Policy SLAs.

Production deployments shall follow a documented, repeatable process using CI/CD automation where feasible.

Developers shall not have direct access to production environments. Deployment shall be performed through automated pipelines or by designated operations personnel.

Production environments shall be separate from development, testing, and staging environments with no shared credentials.

Deployment rollback procedures shall be documented and tested for each critical application.