Application Development Security Policy

This policy defines security requirements for internally-developed and purchased applications. This policy should be aligned with the Password Management Policy.

Read on for excerpts from the actual policy:

Scope

This policy applies to all application systems (software), either developed internally or purchased from a third party.

Policy

The following rules establish the way passwords and accounts are managed during software development.

1. Password retrieval must be prevented. Computer and communication systems must be designed, tested, and controlled so as to prevent both the retrieval of, and unauthorized use of stored passwords, whether the passwords appear in encrypted or unencrypted form.
2. Printed and displayed passwords must be obscured. When an application prints or displays a password, the password must be masked, suppressed, or otherwise obscured so that onlookers will not be able to observe or subsequently recover them.
3. Vendor default passwords must be changed. All vendor-supplied default passwords must be changed before any computer or communications system is used for _COMPANY business.
4. Vendor default account names must be changed. All vendor-supplied default account names must be changed before any computer or communications system is used for _COMPANY business.
5. Passwords must not be “hard-coded” or stored in readable form.  To allow passwords to be changed when needed, passwords must never be hard-coded (incorporated) into software developed by or modified by _COMPANY workers. Passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover or use them.
6. Stored passwords must be encrypted.  Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over networks.  Doing so will prevent them from being disclosed to wiretappers, technical staff who are reading systems logs, and other unauthorized parties.
7. Passwords must meet minimum security specifications. The length of passwords must always be checked automatically at the time that users construct or select them.  All passwords must conform to the current password standard for length (number of characters) and composition (inclusion of alphabetical and non-alphabetical characters).
8. Password generation algorithms must be protected.  If passwords or Personal Identification Numbers (PINs) are generated by a computer system, all software and files containing formulas, algorithms, and other specifics of the process must be controlled with the most stringent security measures supported by the involved computer system.
9. User-chosen passwords must be entered twice if masked when entered.  Whenever user-chosen passwords or encryption keys are first specified, they must be entered twice and masked so that onlookers cannot see what was typed.  Both of these entries must match in order to be accepted by the system.  This requirement will prevent typing mistakes from locking users out of the system or preventing access to important information.