PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.
Example 1: Configure each development endpoint based on approved hardening guides, checklists, etc.; for example, enable FIPS-compliant encryption of all sensitive data at rest and in transit.
Example 2: Configure each development endpoint and the development resources to provide the least functionality needed by users and services and to enforce the principle of least privilege.
Example 3: Continuously monitor the security posture of all development endpoints, including monitoring and auditing all use of privileged access.
Example 4: Configure security controls and other tools involved in securing and hardening development endpoints to generate artifacts for their activities.
Example 5: Require multi-factor authentication for all access to development endpoints and development resources.
Example 6: Provide dedicated development endpoints on non-production networks for performing all development-related tasks. Provide separate endpoints on production networks for all other tasks.
Example 7: Configure each development endpoint following a zero trust architecture.
CMMI Maturity
Description
Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.