PO.5.2—Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.

PO.5

>Control Description

Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.

>Practice: PO.5

Implement and Maintain Secure Environments for Software Development

Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.

>Notional Implementation Examples

1.Configure each development endpoint based on approved hardening guides, checklists, etc.; for example, enable FIPS-compliant encryption of all sensitive data at rest and in transit.
2.Configure each development endpoint and the development resources to provide the least functionality needed by users and services and to enforce the principle of least privilege.
3.Continuously monitor the security posture of all development endpoints, including monitoring and auditing all use of privileged access.
4.Configure security controls and other tools involved in securing and hardening development endpoints to generate artifacts for their activities.
5.Require multi-factor authentication for all access to development endpoints and development resources.
6.Provide dedicated development endpoints on non-production networks for performing all development-related tasks. Provide separate endpoints on production networks for all other tasks.
7.Configure each development endpoint following a zero trust architecture.