Security & Compliance

< Back to Article List

IS-15 Development Guidelines

Last updated: 24 October 2024 at 11:48:40 UTC by Russell Briggs

Development Guidelines

 

  

Document Ref No

IS-15

Version No

V1

Last review date

23/10/2021

Approved by

Dom Tyler

Next review

23/10/2022

 

 


1.    Purpose, scope and users

Recycly is committed to producing high quality, secure code with a view to protecting customer data and fulfilling customer contractually agreed requirements. The guidelines below should be followed for all development and infrastructure projects regardless of size.

Users of this document are all Recycly employees involved in the development process.

 

2.    Guidelines

In summary, any software or infra release to a production environment should be documented.  This should contain details of key acceptance criteria for testing and should demonstrate it has been through an appropriate testing cycle.

 

  1. Ensure security requirements, and service availability are also considered and recorded along with business functionality requirements. Ask:

    1. XXX[1] [2] 

    2. Where and how is it being stored?

    3. Will this application be available to the public?

    4. What security controls does the application require?

    5. How will we test it?

    6. How will we deploy the release, and do we need to arrange planned system downtime?

    7. What is the level of post deployment testing needed?

    8. What is our plan if live issues are encountered?

 

  1. Complete a DPIA when personal data is being processed.

 

  1. Perform Threat Modelling on new applications to identify risks before implementation.

 

  1. All code should be stored in private repositories and should be peer reviewed where possible.

 

  1. Automated tests should be created for new features where possible.

    1. How much automation is acceptable? Cover key functionality? (API/UI tests?)

    2. Automated security tests?

 

  1. Security testing should be performed on new features after they have been committed.

 

  1. Review features once exploratory testing has been completed.

 

  1. The risks of the release process should be considered with the team, and if downtime is needed this should be agreed with the Customer. The specific risks should be documented along with any specific post deployment testing

  2. Once deployed to the live environment, the team should check any automated health checks along with identified post deployment checks to ensure a fully successful release.

 

 

3.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

4.    Version history

Summary of Change

Date of Change

Author

Version Nog

First Draft

23/10/2021

Dom Tyler

1

 

 

 

 

 

 

 

 


What was here?

Does it contain sensitive data or PII?