Content library
Julkri: TL IV-I
TEK-14: Ohjelmistojen turvallisuuden varmistaminen

How to fill the requirement

Julkri: TL IV-I

TEK-14: Ohjelmistojen turvallisuuden varmistaminen

Task name
Priority
Status
Theme
Policy
Other requirements
Kriittisten ohjelmistojen toteutuksen säännöllinen tarkastaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
requirements

Task is fulfilling also these other security requirements

TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
1. Task description

Kriittiset tietojärjestelmien tai tarjottujen digipalvujen toteutus tarkastatetaan säännöllisesti hyödyntäen ennalta määriteltyä luotettavaa standardia tai turvallisen ohjelmoinnin ohjetta.

Tarkentavia ohjeita ovat mm. VAHTI Sovelluskehityksen tietoturvaohje (VAHTI 1/2013), OWASP Application Security Verification Standard (ASVS) sekä Kyberturvallisuuskeskuksen ohje "Turvallinen tuotekehitys: kohti hyväksyntää".

General rules for reviewing and publishing code
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
requirements

Task is fulfilling also these other security requirements

14.2.3: Technical review of applications after operating platform changes
ISO27 Full
14.2.2: System change control procedures
ISO27 Full
TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
8.28: Secure coding
ISO27k1 Full
8.32: Change management
ISO27k1 Full
1. Task description

General rules for reviewing, approving and publishing the code have been defined and enforced.

The rules may include e.g. the following things:

  • the generated code has been validated against the general safe development guidelines of the OWASP Framework
  • the code has been reviewed by at least two people
  • the changes have been approved by a designated, authorized user prior to publication
  • the system documentation has been updated before release
  • the time of publication of the changes has been chosen in accordance with the given instructions in order to minimize disruption to business processes
  • the instructions needed by users have been updated before the code is released

The rules are intended to manage the risks associated with the release of new program code.

Guidelines for secure development
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
requirements

Task is fulfilling also these other security requirements

14.2.1: Secure development policy
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
TEK-14: Ohjelmistojen turvallisuuden varmistaminen
Julkri
8.25: Secure development life cycle
ISO27k1 Full
8.27: Secure system architecture and engineering principles
ISO27k1 Full
1. Task description

The general rules for secure development work have been drawn up and approved by the development managers. The implementation of the rules is monitored in software development in the organization and the rules are reviewed at least yearly.

The safe development policy may include e.g. the following things:

  • safety requirements of the development environment
  • instructions for secure coding of the programming languages used
  • safety requirements at the design stage of properties or projects
  • secure software repositories
  • version control security requirements
  • the skills required from developers to avoid, discover and fix vulnerabilities
  • compliance with secure coding standards

Compliance with the rules of secure development may also be required of key partners.

Security rules for the development and acquisition of data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system procurement
requirements

Task is fulfilling also these other security requirements

I13: Ohjelmistoilla toteutettavat pääsynhallintatoteutukset
Katakri
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
14.1.1: Information security requirements analysis and specification
ISO27 Full
14.1.2: Securing application services on public networks
ISO27 Full
14.2.5: Secure system engineering principles
ISO27 Full
1. Task description

Whenever new data systems are acquired or developed, pre-defined security rules are followed, taking into account the priority of the system. The rules ensure that adequate measures are taken to ensure the security of the data and data processing in the system.

No items found.