UnixTime

Research Note

Outsourced Development Security Requirements Checklist

Use this checklist before signing or renewing a development contract, statement of work, or supplier delivery plan.

On this page

When to use this

Use this checklist before signing or renewing a development contract, statement of work, or supplier delivery plan.

Checklist

  • Development scope is defined.
  • Information and system sensitivity is documented.
  • Secure development requirements are included.
  • Secure coding standards are referenced.
  • Security testing requirements are included.
  • Vulnerability remediation timelines are defined.
  • IP ownership and licence obligations are defined.
  • Open-source and third-party component rules are defined.
  • Audit rights or assurance evidence requirements are defined.
  • Developer training or competence expectations are defined.
  • Subcontractor approval and flow-down requirements are defined.
  • Acceptance criteria include security evidence.

Requirements table

Requirement Applies? Contract/SOW reference Owner Evidence expected
Secure coding TBD TBD TBD TBD
Security testing TBD TBD TBD TBD
Vulnerability remediation TBD TBD TBD TBD
IP/licence control TBD TBD TBD TBD
Audit/assurance TBD TBD TBD TBD