Page 280 - Garis Panduan Perolehan Teknologi Maklumat & Komunikasi (ICT) Kerajaan
P. 280
vulnerability information, including the current list of SANS 25 Most
Dangerous Programming Errors;1
(c) provide the Purchaser with a written report, in the form required by Section
I(c), above, as soon as possible after a vulnerability, threat, or risk has been
identified.
III. Development Environment
For any application developed under this Contract, the Vendor shall:
(a) Secure Coding:
Identify the tools to be used in its software development environment to
encourage secure coding. Unless the Purchaser has identified, in writing, the
secure coding guidelines to be followed during the application development
process, the Vendor shall provide and follow a set of written secure coding
guidelines that, at a minimum, indicate how code will be formatted, structured,
documented and tested.
(b) Configuration Management:
Document, in writing, the source code control system to be used to
authenticate and log the team member(s) associated with all changes to the
software baseline and all related configuration and build files.
(c) Distribution:
Document, in writing, a build process that reliably builds a complete
distribution from source. This process shall include a method for verifying the
integrity of the application delivered to Purchaser.
(d) Disclosure:
Document, in writing, any third party software used in the application,
including all libraries, frameworks, components, system privileges, and other
products, whether commercial, free, open-source, or closed-source.
(e) Evaluation:
Use reasonable efforts to ensure that any third party software used in the
application meets all the terms of this Contract and is as secure as custom
code developed under this Contract.
IV. Testing
The Vendor shall:
(a) document, in writing, a detailed security test plan, based on a recognized
industry standard, that will establish that each of the security requirements
has been met;
2
