last sync: 2024-Jun-13 18:14:14 UTC

Microsoft Managed Control 1603 - Developer Security Testing And Evaluation | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1603 - Developer Security Testing And Evaluation
Id 2b909c26-162f-47ce-8e15-0c1f55632eac
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1603 / Microsoft Managed Control 1603
Category: System and Services Acquisition
Title: Developer Security Testing And Evaluation - Implement Remediation Process
Ownership: Customer, Microsoft
Description: The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and
Requirements: The Azure system owner is responsible for ensuring that all system development and maintenance activities are performed in accordance with the Microsoft SDL process. A formal review process is implemented to ensure that new or modified source code authored by Microsoft’s online services staff is developed in a secure fashion, no malicious code has been introduced into the system, and that proper coding practices are followed. The reviewers’ names, review dates, and review results are documented in Azure DevOps, and maintained for audit purposes. A formal security quality assurance process is implemented to test for vulnerabilities to known security exposures and exploits. The process includes the use of automated security testing tools and requires that all vulnerabilities are remediated in accordance with the SDL BugBar. A ticket for each vulnerability is opened in Azure DevOps and tracked to resolution.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC