Secure Development

Third Party Apps and Libraries

Description A documented risk analysis is available for each third-party app used by the application. Third party apps and libraries are tracked for vulnerabilities and security updates as part of...

Malware Scanning

Description The system scans attachments, uploads and links for malware and filters content identified as harmful by these scans. Specification The malware/Anti-Virus scanner of a preferred supplier is used. This...

Application (D)DoS Protection

Description The application has taken application level steps to prevent Denial of Service attacks such as caching where possible, rate limiting and designing functionality to be non-blocking. This includes protecting...

Mobile Applications

Description Mobile Applications use certificate pinning to prevent MitM attacks on apps and Open WiFi. Mobile applications have protections for the binaries that users can download. Mobile apps preferably store...

Web Application Security

Description Web applications have taken all appropriate measure to protect against OWASP top 10 Web Application vulnerabilities: https://owasp.org/www-project-top-ten/ Specification Follow all relevant instructions for web application hardening to protect against...

Input and Output Filtering

Description All variable information that gets sent by a client is filtered and sanitized before being processed in the application. The same applies to user-selected output that is presented back...

Configuration Files

Description Appropriate secrets management is applied to confidential information needed to develop and deliver the service. No hardcoded credentials and configurations are present in source code, only in separate configuration...

Rollback Procedure

Description Major changes and/or migrations that could have potential impact on the availability of the IT service have a rollback procedure and a step-by-step plan for the change documented beforehand...

Testing Data

Description No production information is exposed or reused in environments other than for acceptance testing. This includes production data (also not pseudonymised), API keys, credentials and production server hostnames. Specification...

DTAP

Description At a minimum there are distinct environments for acceptance and production. Where development activities take place, at least one separate environment for development exists. The environments are clearly distinguishable...