Maintain the software code developed/used by the organisation

Organisations should regularly check for new versions of used open-source code. Ideally, this process is automated. New versions of open-source code can often contain new security functions, security patches, etc.

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

• safety requirements of the development environment
• instructions for secure coding of the programming languages used
• safety requirements at the design stage of properties or projects
• secure software repositories
• version control security requirements
• the skills required from developers to avoid, discover and fix vulnerabilities
• compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

The organization must define the means for a secure software deployment strategy. Means should be automated if possible.

The organisation has to make sure that all licensed software are updated with in 14 days of the update coming live when:

• The update fixes vulnerabilities that are considered critical or high risk
• Supplier does not release details about the severity of the vulnerability

The definition of security-critical code for the various services is maintained. New parts of the critical code are constantly being identified and new updates are being checked particularly closely for changes to the critical code. The aim is to keep the likelihood of security vulnerabilities to a minimum.