Secure SDLC Policy

This policy ensures a secure environment throughout the software development lifecycle and that Information Security requirements are addressed in all phases. (SSDLC-17 | Version 1.7 | Effective: 25-02-2026)

Secure SDLC Policy — Version 1.7 | February 2026

Document ID: SSDLC-17 | ISO 27001:2022 Compliant | Approved By: Jagan Jami (CISO)

5. Purpose

The purpose of this policy is to ensure a secure environment throughout the development process and to ensure that Information Security requirements are addressed in all phases of software delivery and project management.

6. Scope

This policy applies to all employees, contractors, and consultants involved in the development of application software for Acuvate and its customers, covering all development activities on Acuvate infrastructure, client infrastructure (VDI/VPN), or cloud-based environments.

7. Roles and Responsibilities

  • Project Manager — Ensure SDLC policy adherence; approve change requests and deployment plans
  • Development Team — Follow secure coding practices; participate in code reviews; complete secure coding training
  • QA/Testing Team — Execute security test cases; validate VAPT remediation; maintain test evidence
  • IT Security / ISMS Manager — Define security requirements; review VAPT reports; approve exceptions
  • CISO — Approve policy exceptions; final authority on security risk acceptance

9. Design and Development

  • Peer review approval is mandatory before any merge to main/release branches
  • Source code shall be stored in approved repositories only (Azure DevOps, GitHub, or client-specified)
  • No developer shall have direct commit access to main/production branches without peer review approval
  • Production data must not be used in test/development environments without masking

10. System Acceptance Testing

  • Application security testing (VAPT) shall be carried out against OWASP Top 10 (2021) before deployment
  • All Critical and High vulnerabilities shall be closed prior to deployment
  • VAPT reports shall be reviewed by the ISMS Manager within 5 working days of receipt

11. AI-Assisted Development Guidelines

  • AI-generated code shall undergo the same peer review and security review as human-written code
  • Developers shall not input client confidential data, production credentials, API keys, or PII into AI tools
  • AI tool usage shall comply with client contractual requirements

12. Secure Coding Training

  • All development team members shall complete secure coding training at least every 6 months
  • Training covers OWASP Top 10 (2021), secure authentication, input validation, encryption, and secure API design
  • New developers/contractors shall complete training within 30 days of onboarding

Next Review Date: 25-02-2027 | Owner: Projects / IT Department

Back
Back to top