Appropriate secrets management is applied to confidential information needed to develop and deliver the service.
No hardcoded credentials and configurations are present in source code, only in separate configuration files with appropriate security protections.
No sensitive information can be found in versioning information and older releases in version management systems. Configuration is stored in environment variables or in versioned scripts that generate the configuration based on user input.
Specification
Apply appropriate configuration hardening using CIS recommendations where available.
Place files with sensitive information outside public access.
Apply strict permissions on sensitive files.
ISO 27001 & 27002:2022
8.1,
A5.8,
A8.25,
A8.26,
A8.27,
A8.28,
A8.29,
A8.31,
A8.30,
A8.32
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SD.01 Methodology for secure development and implementation of software