| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1609 - Development Process, Standards, And Tools | ||
| Id | 9e93fa71-42ac-41a7-b177-efbfdc53c69f | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Services Acquisition control | ||
| Additional metadata |
Name/Id: ACF1609 / Microsoft Managed Control 1609 Category: System and Services Acquisition Title: Development Process, Standards, And Tools - Develops Ownership: Customer, Microsoft Description: The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and Requirements: All development in Azure must follow the Security Development Lifecycle (SDL) process for all engineering and development projects. The SDL process includes the following: * Addressing security requirements: The Requirements phase of the SDL includes the project inception—when the organization considers security and privacy at a foundational level—and a cost analysis—when determining if development and support costs for improving security and privacy are consistent with business needs. * Identifying standards and tools/documents tools and configurations: The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the software securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts, dated September 2009 for the information system consistent with the Azure offering’s requirements. * Documents, manages, and ensures the integrity of changes: During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push—which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. A public release privacy review is also completed during the Verification phase. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|