ECSD-2 Software Development Change Controls
Overview
Change controls for software development are in place to prevent unauthorized programs or modifications to programs from being implemented. Change controls include review and approval of application change requests and technical system features to assure that changes are executed by authorized personnel and are properly implemented.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII | High | Enclave Computing Environment |
Details
| Threat |
|---|
| The integrity of computer systems is at risk if software development change controls are not established and implemented. A Configuration Management (CM) plan, and an access control policy greatly reduce the risk of unauthorized program modification. |
| Guidance |
|---|
| 1. A CM plan shall be established and implemented, and the CM plan shall include how software change requests are prepared, submitted, processed, and tracked. 2. The IAM/IAO and the site’s lead developer/programmer shall authorize and document the roles, responsibilities, and privileges for all personnel allowed to make software development changes. 3. Systems shall include technical features that implement a role-based access scheme to assure program modifications are made by authorized personnel. 4. The software developer’s user accounts shall be limited to the minimum number of permissions needed to perform their assigned duties. |
References
- NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995
- DISA, Recommended Standard Application Security Requirements Version 2, March 2003
- DISA, Application Security Checklist, Version 2.0, Release 1.5, 28 January 2005