Ensure security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
How SAKA meets this requirement: While StrongKey does not have written security policies and procedures—it is a small company of less than ten employees with highly specialized skills – StrongKey's security is fairly rigid for a company of its size:
It only uses Linux computers for all day-to-day work and software development;
It restricts root access to a smaller subset of employees with a prohibition for using this account for day-to-day work;
It segments its office network from its testing network and uses dedicated machines for quality assurance;
It uses digital certificates from an internal PKI for committing changes to its source code repository;
It uses TLS for all internal systems with the exception of its internal wiki for storing generalized technical data and documentation;
It uses the highest security levels as defaults in its software: at the time of writing this document (mid-2016), StrongKey is using 256-bit AES keys, 256-bit ECDSA keys, TLS 1.2;
It tests web applications using OWASP tools and guidelines to ensure it eliminates vulnerabilities before software is released.
StrongKey periodically reviews and updates its security environment to ensure it continues to remain secure while building secure applications.