Content library
Secure development
Ensuring the coverage of new IT system development requirements

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of security metrics related to application security
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Documentation of security metrics related to application security
1. Task description

The organization must specifically document security metrics that measure the level of application security. Implementation must take into account the organization's own security objectives as well as other security requirements.

Separation of production, testing and development environments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
25
requirements

Examples of other requirements this task affects

12.5: Control of operational software
ISO 27001
12.1.4: Separation of development, testing and operational environments
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
14.2.6: Secure development environment
ISO 27001
PR.DS-7: The development and testing environments
NIST
See all related requirements and other information from tasks own page.
Go to >
Separation of production, testing and development environments
1. Task description

Software under development, testing and production is run in differentiated technical environments in order to ensure the quality of development work in an environment that adapts to the production environment and, on the other hand, the production environment is not disturbed by unfinished development.

Sensitive or personal data of users is not copied and used in a development environment.

Definition of done and testing principles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
11
requirements

Examples of other requirements this task affects

14.2.3: Technical review of applications after operating platform changes
ISO 27001
14.2.9: System acceptance testing
ISO 27001
8.29: Security testing in development and acceptance
ISO 27001
CC8.1: Change management procedures
SOC 2
PR.IP-2: A System Development Life Cycle to manage systems is implemented.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Definition of done and testing principles
1. Task description

The development unit itself maintains a list of criteria that need to be met before a task can be marked as completed. The criteria may include e.g. review requirements, documentation requirements and testing requirements.

New code will only be implemented after extensive testing that meets pre-defined criteria. Tests should cover usability, security, effects on other systems, and user-friendliness.

Kriittisten ohjelmistojen toteutuksen säännöllinen tarkastaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Kriittisten ohjelmistojen toteutuksen säännöllinen tarkastaminen
1. Task description

Kriittiset tietojärjestelmien tai tarjottujen digipalvujen toteutus tarkastatetaan säännöllisesti hyödyntäen ennalta määriteltyä luotettavaa standardia tai turvallisen ohjelmoinnin ohjetta.

Tarkentavia ohjeita ovat mm. VAHTI Sovelluskehityksen tietoturvaohje (VAHTI 1/2013), OWASP Application Security Verification Standard (ASVS) sekä Kyberturvallisuuskeskuksen ohje "Turvallinen tuotekehitys: kohti hyväksyntää".

Safe running of unknown code
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
2
requirements

Examples of other requirements this task affects

MWP-06: Safe running of unknown code
Cyber Essentials
MWP: Application sandboxing
Cyber Essentials
See all related requirements and other information from tasks own page.
Go to >
Safe running of unknown code
1. Task description

All code of unknown origin must be executed in a so-called sandbox environment, i.e. isolated from other devices and networks in the organization. This prevents it from accessing the organization's resources without special permission from the user. This includes:

  • Other software in its own sandboxes
  • Databases that store images or documents, for example
  • Peripheral devices such as cameras, microphones and GPS
  • Access to the local network.
Approval from the data owner for using production data for testing purposes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Approval from the data owner for using production data for testing purposes
1. Task description

The organization must obtain approval from the owner of the information, and manage potential risks, before using it for testing purposes.

Built in and default data protection in systems development (Privacy by design)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Built in and default data protection in systems development (Privacy by design)
1. Task description

The organization has to create procedures for having data protection, correct way of processing personal data and compliance with data protection requirements by default in all new systems, digital services or in planning and development of new procedures from the start.

This is called principle of privacy by design. Important part of applying this principle is configuring systems default settings so that they minimize processing of personal data and follow all regional laws and regulations.

Built in and default cyber security in system development (Security by design)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
4
requirements

Examples of other requirements this task affects

2.1.5: Use a secure software development method
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Built in and default cyber security in system development (Security by design)
1. Task description

The organization must create procedures that by default cyber security and security requirements are considered from the start when developing and designing new systems, digital services or business processes.

This is called the principle of built-in and default security (security by design). As a result of this approach, the design documentation should clearly indicate what measures are taken to ensure cyber security.

Automated secure code deployment and release
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
3
requirements

Examples of other requirements this task affects

2.1.5: Use a secure software development method
NSM ICT-SP
2.1.8: Maintain the software code developed/used by the organisation
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Automated secure code deployment and release
1. Task description

The organization must define the means for a secure software deployment strategy. Means should be automated if possible.

Designing Secure Software Development Life Cycle(SSDLC) process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
8
requirements

Examples of other requirements this task affects

PR.IP-2: A System Development Life Cycle
NIST
PR.IP-2: A System Development Life Cycle to manage systems is implemented.
CyberFundamentals
2.1.5: Use a secure software development method
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Designing Secure Software Development Life Cycle(SSDLC) process
1. Task description

The organization shall define and implement a Secure Software Development Life Cycle (SSDLC) process in software development.

The first step in the SSDLC process should be to define security requirements that ensure that security considerations become integrated into the services being developed right from the creation phase.

It is recommended that the SSDLC process include at least the following steps:

  • A - Training
  • B - Description of the requirements
  • C - Design
  • D - Development
  • E - Security testing
  • F - Publication
  • G - Responding to issues
Protection and minimisation of test data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
9
requirements

Examples of other requirements this task affects

14.3: Test data
ISO 27001
14.3.1: Protection of test data
ISO 27001
8.33: Test information
ISO 27001
21.2.e: Secure system acquisition and development
NIS2
5.3.1: Information Security in new systems
TISAX
See all related requirements and other information from tasks own page.
Go to >
Protection and minimisation of test data
1. Task description

The data and other materials used for testing should be carefully selected and protected.

Production information that contains personal or other confidential information should not be used for testing purposes.

Encryption of user password information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
9
requirements

Examples of other requirements this task affects

9.4.2: Secure log-on procedures
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
14.1.3: Protecting application services transactions
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
8.5: Secure authentication
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Encryption of user password information
1. Task description

We use strong encryption during password transmission and storage in all services we develop.

Encryption of public network traffic for application services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
14
requirements

Examples of other requirements this task affects

13.2.3: Electronic messaging
ISO 27001
14.1.2: Securing application services on public networks
ISO 27001
14.1.3: Protecting application services transactions
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
PR.DS-2: Data-in-transit
NIST
See all related requirements and other information from tasks own page.
Go to >
Encryption of public network traffic for application services
1. Task description

Information included in application services transmitted over public networks must be protected against fraudulent and non-contractual activity and against unauthorized disclosure and alteration.

We use strong encryption and security protocols (eg TLS, IPSEC, SSH) to protect confidential information when it is transmitted over public networks in connection with the IT services we develop.

General rules for reviewing and publishing code
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
8
requirements

Examples of other requirements this task affects

14.2.2: System change control procedures
ISO 27001
14.2.3: Technical review of applications after operating platform changes
ISO 27001
TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
8.28: Secure coding
ISO 27001
8.32: Change management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
General rules for reviewing and publishing code
1. Task description

General rules for reviewing, approving and publishing the code have been defined and enforced.

The rules may include e.g. the following things:

  • the generated code has been validated against the general safe development guidelines of the OWASP Framework
  • the code has been reviewed by at least two people
  • the changes have been approved by a designated, authorized user prior to publication
  • the system documentation has been updated before release
  • the time of publication of the changes has been chosen in accordance with the given instructions in order to minimize disruption to business processes
  • the instructions needed by users have been updated before the code is released

The rules are intended to manage the risks associated with the release of new program code.

Listing authorized users for publishing code changes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
8
requirements

Examples of other requirements this task affects

12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
14.2.2: System change control procedures
ISO 27001
14.2.7: Outsourced development
ISO 27001
8.19: Installation of software on operational systems
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Listing authorized users for publishing code changes
1. Task description

Only pre-defined, authorized users are allowed to post changes to the code.

Source code management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
7
requirements

Examples of other requirements this task affects

9.4.5: Access control to program source code
ISO 27001
14.2.6: Secure development environment
ISO 27001
8.4: Access to source code
ISO 27001
8.31: Separation of development, test and production environments
ISO 27001
CC8.1: Change management procedures
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Source code management
1. Task description

Access to source code and other related plans is controlled to prevent e.g. adding unauthorized code and avoiding unintentional changes. Access rights are allocated on a need-to-know basis and, for example, support staff are not granted unlimited access rights.

Source code control can be implemented, for example, by storing all code centrally in a dedicated source code management system.

Guidelines for secure development
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
20
requirements

Examples of other requirements this task affects

14.2.1: Secure development policy
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
8.25: Secure development life cycle
ISO 27001
8.27: Secure system architecture and engineering principles
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Guidelines for secure development
1. Task description

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

  • safety requirements of the development environment
  • instructions for secure coding of the programming languages used
  • safety requirements at the design stage of properties or projects
  • secure software repositories
  • version control security requirements
  • the skills required from developers to avoid, discover and fix vulnerabilities
  • compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Process for monitoring and tracking outsourced development work
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
12
requirements

Examples of other requirements this task affects

14.2.7: Outsourced development
ISO 27001
DE.CM-6: External service provider activity monitoring
NIST
8.28: Secure coding
ISO 27001
8.30: Outsourced development
ISO 27001
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Process for monitoring and tracking outsourced development work
1. Task description

Even when development is outsourced, we remain responsible for complying with appropriate laws and verifying the effectiveness of security controls.

We have defined the procedures that we monitor and follow throughout the outsourcing chain.Practices may include e.g. the following things:

  • policies for reviewing and approving generated code
  • evidence of testing activities performed by the partner
  • communication practices
  • contractual rights to audit the development process and management tools
  • documentation requirements for code generation
Restoration strategy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
7
requirements

Examples of other requirements this task affects

12.3: Backup
ISO 27001
12.5: Control of operational software
ISO 27001
12.3.1: Information backup
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
14.2.2: System change control procedures
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Restoration strategy
1. Task description

We have agreed and recorded policies to restore an earlier version of the software before implementing the releases.

Change management procedure for significant changes to data processing services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
23
requirements

Examples of other requirements this task affects

14.2.2: System change control procedures
ISO 27001
14.2.4: Restrictions on changes to software packages
ISO 27001
PR.DS-6: Integrity checking
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.32: Change management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Change management procedure for significant changes to data processing services
1. Task description

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Using data system risk assessments to determine separation needs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

5.2.2: Seperation of testing and development environments
TISAX
See all related requirements and other information from tasks own page.
Go to >
Using data system risk assessments to determine separation needs
1. Task description

The organisation's IT systems go through a risk assesment that's used for determining the necessity for the seperation into development, testing and operational systems.

The segmentation is then implemented based on the results of the risk assesment.

Testing security functions that are affected by the changes to ICT systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

2.10.3: Test affected security functions
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Testing security functions that are affected by the changes to ICT systems
1. Task description

Test security functions that are affected by changes to ICT systems both before and after deployment in order to maintain secure state. It is important to ensure that security functions are tested because changes to ICT systems can often create new vulnerabilities.

Integrating security into the organization's urgent change processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

2.10.4: Integrate security into the organisation’s urgent change processes
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Integrating security into the organization's urgent change processes
1. Task description

The organization must integrate security aspects into its urgent change processes, even in time-sensitive or emergency situations. Minimum requirements for staff involvement, testing, and documentation should be stipulated both before and after deployment. This ensures clear documentation of the minimum steps that must be taken in urgent cases.

Establishing and managing an inventory of third-party software components
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and managing an inventory of third-party software components
1. Task description

The organization creates a centralized bill of materials (BOM) repository to manage third-party components, including detailed information, tracking, regular updates, risk assessments, vulnerability monitoring, and facilitate communication with development teams for proactive security management.

Specific safeguards for production data used for testing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
9
requirements

Examples of other requirements this task affects

14.3: Test data
ISO 27001
14.3.1: Protection of test data
ISO 27001
8.33: Test information
ISO 27001
21.2.e: Secure system acquisition and development
NIS2
2.1.6: Use separate environments for development, test and production
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Specific safeguards for production data used for testing
1. Task description

The use of production data for testing purposes should be avoided. If confidential information is used in testing, the following security measures should be used:

  • all sensitive details should be either deleted or made secure (e.g. anonymisation of personal data)
  • testing environments are subject to the same strict access control as production
  • copying production data to the test environment is done only with a separate authorization
  • production data is removed from the test environment immediately upon completion of testing
Regular critical code identification and verification
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
14
requirements

Examples of other requirements this task affects

14.2.3: Technical review of applications after operating platform changes
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
14.2.9: System acceptance testing
ISO 27001
8.27: Secure system architecture and engineering principles
ISO 27001
21.2.e: Secure system acquisition and development
NIS2
See all related requirements and other information from tasks own page.
Go to >
Regular critical code identification and verification
1. Task description

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.

Secure setting and distribution of temporary login information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
3
requirements

Examples of other requirements this task affects

9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Secure setting and distribution of temporary login information
1. Task description

Temporary credentials should be unique and should not be quessable, for example, by inferring from user data.

Maintaining a release log
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
3
requirements

Examples of other requirements this task affects

12.5: Control of operational software
ISO 27001
12.5.1: Installation of software on operational systems
ISO 27001
8.19: Installation of software on operational systems
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Maintaining a release log
1. Task description

An event log should be kept for all updates to production or customer software or in-house IT services.

Ensuring the coverage of new IT system development requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
1
requirements

Examples of other requirements this task affects

5.3.1: Information Security in new systems
TISAX
See all related requirements and other information from tasks own page.
Go to >
Ensuring the coverage of new IT system development requirements
1. Task description

Organization ensures that the following aspects are covered in the requirement specifications for new system development:

  • Information security requirements
  • Vendor recommendations and best practices for secure configuration and implementation
  • General best practices and security guidelines
  • Fail-safe mechanisms (designed to return to a safe state in case of failure or malfunction)

Newly developed systems are reviewed against the specifications before moving to production use.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.