Security templates. https://www.fedramp.gov/resources/templates-2016/
Here’s a list of some of the things I was looking to ensure was included in the project documentation:
- Data flow diagrams.
- Network diagrams.
- Information about interconnected systems
- Inventories of applications and technologies used.
- Programming languages used.
- A description of the Secure development process. Is code scanning done in development with tools such as DevInspect or Greenlight?
- Further details on all forms including type, character limitations, specs on input validation. How are fields protected from injection attacks?
- Security specs, details on all encryption algorithms, etc.
- List of all IP protocols utilized for everyday functionality as well as administration with IP type (TCP/UDP) and direction (Inbound, Outbound, Bi-directional) as well as purpose.
- Configuration baselines for servers and devices. Documentation that shows servers and devices have been hardened appropriately per security best practices. Are default accounts removed or disabled? Are patches & hotfixes installed? Are unnecessary applications or services removed or disabled? Are firewalls locked down?
- List of all open source code licenses used.
- List of training that developers take related to information security and devops security as well as how often.