I’m looking for assurance from our dev team around the security of in-house developed apps in order for them to support processing PII data. I’ve started drawing up areas for consideration, including:
* Evidence of coding practices that are geared towards security
* 3rd party libraries maintenance
* Code storage, accessibility and audit
* Data management – classification, encryption, key management
* Application authentication, authorisation & audit – app RBAC controls
* SDLC – Testing & release processes (testing for security)
Are there any published frameworks, development assurance models or other such reference material that I could use to ensure I am asking all the right questions?
And do I take the responses to these questions at face value? Short of examining the code myself I’m not sure what else I can do. I guess I’m looking for evidence that they actually have secure coding practices in place – documented coding standards, for example?