I am trying to complete a Vendor review as required by our new parent company. I contacted sales, but they refused to help me and directed me here. Who can I speak with for assistance on the questions below?
Vendor Questions:
Is there a formal Software Development Life Cycle (SDLC) process?
Does the SDLC process include integration testing, and acceptance testing?
Does the SDLC process include peer code review?
Is there a documented change management/change control process?
Does the application change management/change control process include change control procedures required for all changes to the production environment?
Does the application change management/change control process include testing prior to deployment?
Does the application change management/change control process include management approval prior to deployment?
Does the application change management/change control process include management approval for changes?
Does the application change management/change control process include review of code changes by information security?
Does the application change management/change control process include stakeholder communication and/or approvals?
Does the application change management/change control process include a list of individuals authorized to approve changes?
Does the application change management/change control process include documentation for all system changes?
Does the application change management/change control process include version control for all software?
Does the application change management/change control process include logging of all Change Requests?
Are applications evaluated from a security perspective prior to promotion to production?
Do pre-production application security reviews include abuse case test scripts?
Is a Secure Code Review performed regularly?
Is there a full secure code review for each release? If not, please explain the secure code review schedule and scope in the ‘Additional Information’ field.
Do secure code reviews include validation checks for the most critical web application security flaws including Cross Site Scripting, SQL injection (e.g., OWASP Top 10 vulnerabilities)?
Do secure code reviews include testing against common code vulnerabilities?
Are secure code reviews performed by individuals qualified to identify and correct code security flaws?