ITManagerToolkits.com has uploaded a Application Development Security Policytemplate in the Knowledge Network, along with some of its other templates, tools and checklists. This document in particular aims to help companies define security requirements for access to applications that are purchased or developed internally.
This template is part of a comprehensive IT Governance and Compliance Toolkit. The Toolkit is a collection of Microsoft Word forms, templates and instructional documents that help you assess and establish the crucial policies that you need to operate a secure and compliant IT organization.
Here are some of the suggested rules to better control the way passwords and accounts are managed during software development.
Password retrieval must be prevented. Computer and communication systems must be designed, tested, and controlled so as to prevent both the retrieval of, and unauthorized use of stored passwords, whether the passwords appear in encrypted or unencrypted form.
Vendor default passwords must be changed. All vendor-supplied default passwords must be changed before any computer or communications system is used for company business.
Stored passwords must be encrypted. Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over networks. Doing so will prevent them from being disclosed to wiretappers, technical staff who are reading systems logs, and other unauthorized parties.
For the rest of the rules in this policy, check out the full template in the Knowledge Network.