Development Lifecycle Security rules to follow.

1. Development
Lifecycle

2. • Security Lifecycle Plan Questionnaire
•
•
1) Do you practice version management for any security documents for the tools used?
2) Do you run automatic security scans in your development lifecycle?
• 2.1) Do you have the latest security plugins and tools to provide security suggestions and detection to help improve secure
coding?
• 2.2) Are security experts involved in all steps of software design and QA testing?
1) Do you perform integrity checks on deployed artifacts to make sure the fires were not modified?
2) Do you monitor third party libraries used in the code at a regular interval for known weaknesses and maintainability?
3) Do you perform active checks to confirm that purchased hardware and software is as declared?
4) Have you integrated peer secure code review into the development lifecycle?
5) Do you perform security reviews for existing third-party integrations before incorporation?
6) Do you perform period full whitebox penetration testing?
7) Do you perform external attack simulations at regular intervals to check external attack detection readiness?
8) How do you manage sensitive data when shared on company communication platforms?
9) Do you review non-security related guidelines/protocols/ procedures for possible security loopholes?

3. 1) Do you use 2FA when dealing with user management data platforms?
2) Does each team have a cyber responsibility team member to help oversee security implementation?
3) Do you have a mechanism or a formal procedure which allows sharing with other projects the insecure code patterns and
weakness discovered in a project?
4) Do you have a policy in place to prevent workers to connect their phones or other non-secure devices via USB ports?
5) Do you use logical groups for important assets such as DNS domains and AWS resources to prevent having a single point of
failure?
6) Does each user have different accounts & password for different systems to prevent a single point of failure in case of breach?
• 17.1) Dou you use different accounts/password for staging and production environments?
1) Do you change the KRBTGT built-in active directory user password at regular intervals?
2) Are you enforcing the strong password policy across all machines, systems and apps?
3) Do you try and use automation, when possible, to limit security risks?
4) Are you employing SMB signing and Extended Protection for Authentication (EPA) and try to disable NTLM support in the domain
controllers to protect yourself from various NTLM relay attacks such as the new PetitPotam attack?
5) Do you have a DLP system or any measures to prevent data or code leakage or detect what was leaked?
6) Do you practice application whitelisting and enforcement using a system such as Applocker?
• Do you have an installation folder with allowed programs and packages to be installed which is secured using signatures and hash

4. 1) validation? Do you block/forbid users to download and install arbitrary programs?
2) Do you have periodic backup automation not only for databases, but for all sensitive data, code,
configurations and documents?
3) Do you use 2FA anti-deletion policies in AWS backups?
4) Do you have offline backups for all sensitive data, code, configurations and documents?
5) Do you review which servers and services are publicly accessible and block public network
access to all of those which shouldn’t be publicly accessible and add IP whitelist where
possible?
6) Have you implemented a security mechanism to prevent public access to QA websites which
have debug functionality?
7) Do you practice network separation between the staging and production servers?
8) Are you using Devops automations for all the servers, both Windows and Linux and then
implementing security hardenings and configurations into the automations?
9) Do you perform periodic review of the log management system to make sure sensitive data is
not being logged?
10)Do you have a log collection for all the systems and services?