a goal

In order to protect the company's intellectual property rights, effectively control the integrity and confidentiality of the company's important data source code, and ensure that it is not acquired, copied, disseminated and changed without authorization, you can refer to this source code security management specification for management;

2 preamble

1 Security requirements

The source code includes the program code written by the developer to realize the function, the corresponding development and design documents and related materials, and the key modules to be protected include: modules of sensitive information, such as encryption and decryption algorithms, etc. Basic logic modules, such as database operation basic class library. For key modules, various effective methods such as strong assembly naming, obfuscation, encryption, and authority control are adopted for protection.

2 scope of use

This specification applies to all personnel in various positions involved in accessing source code, including third-party outsourcing personnel, and all personnel must follow this specification.

3 Concrete operation

All personnel, including third-party personnel, are required to sign a confidentiality agreement, specify confidentiality obligations, understand various confidentiality regulations and strictly implement them.

Three source code integrity guarantees

All software source code files and corresponding development and design documents shall be added to the designated source code management warehouse in the designated source code server in time.
Third-party software, controls, and other supporting libraries necessary for the software to run must also be added to the specified library on the source code server in time.
Before software can be written or coded, its corresponding design documents must be checked into a source control repository. Before the software coding or function adjustment is submitted to the technical support department for testing and verification, the corresponding source code must be checked into the source code management warehouse.
When testing the code, the technical support department must obtain the code from the source code management warehouse on the source code server, including necessary third-party software, controls and other supporting libraries, and then conduct an integrated compilation test.

Authorized access to four source codes

The source code server establishes operating system-level, identity- and password-based access authorization for access to the shared source code management repository.
Set up users in the source code management repository, and assign different minimum access permissions suitable for work to different users.
It is required to verify the user identity and password in the source code management warehouse when connecting to the source code management warehouse. In the source code management warehouse, it is required to treat different users' access rights, creation rights, edit rights, delete rights, and destroy rights differently. Strictly control the user's read and write permissions, and assign permissions based on the principle of minimum permissions; when developers no longer need to update the source code of the relevant information system, they must delete the account in time.
After the work task is changed, the relevant authority of the user must be revoked in real time, and the management of the source code management warehouse requires the establishment of a dedicated person management system. Every common user guarantees that his user identity and password are not disclosed. Users should often change the password of their account in the VSS database.
Computers involving and accessing source codes must be dedicated to special personnel, and no one else may operate and use this computer without the authorization of the manager of the R&D department. The owner of this computer shall not agree to or disregard other people's unauthorized use of this computer. The authorization to use the computer involving and touching the source code is issued only by the manager of the R&D department, and no one else has the right to execute this authorization.
Before a computer that has been involved in or touched the source code is used for other purposes or leaves the R&D department, the network administrator must completely clear the source code stored in the hard disk of the computer. If you are not sure, all hard drives in the computer must be fully formatted before they can be used for other purposes or leave the R&D department.
External storage devices must not be connected directly to R&D computer equipment. If it is necessary to copy files, it must be done on a public computer designated by the unified R&D department under the supervision of network administrators. This public computer shall not touch, access, or store source code files at any time.
Through network segment isolation, the computers of the R&D department can only form a local area network by themselves, and ensure that other network segments cannot access the network of the R&D department and the computer equipment in the network.

Five code copy and dissemination

Any source code files, including technical materials such as design documents, shall not be transmitted in foreign-related network environments such as QQ, MSN, and email.
The copying of the source code outside the R&D department must obtain the written authorization of the general manager. And it is necessary to record the copyer, approver, copying time, copying purpose, file flow, file version or content.
The backup of the source code stored in any form of media must be kept by a designated person. For borrowing of these media, those used within the R&D department must be authorized by the manager of the R&D department, and those used outside the R&D department must be authorized in writing by the general manager.
For source code lists, design documents, etc. that exist in paper form, special personnel are required to manage them. For the borrowing, distribution, copying, etc. of these paper materials, as long as they are not used internally by the R&D department, written authorization must be obtained from the general manager. It is limited to the R&D department, and the written authorization of the general manager is also required for leaving the R&D department.
For those who need to copy, disseminate, and distribute the source code due to cooperation needs, whether it is all or part of the code and materials, it is necessary to sign a technology and source code confidentiality agreement with the other party to clarify the other party's responsibility for keeping the source code confidential and obligation.

Day-to-day management of six source code platforms

The source code files of the software and the corresponding development and design documents shall be added to the designated library of the designated source code server in time.
The source code management platform shall not store any production environment configuration, including but not limited to IP address, port number, database password, etc.
Regularly inspect source code management platform accounts, clear invalid or no longer used accounts, and organize account permissions.
Check the usage of each project on the source code management platform during the project launch phase, including but not limited to hard disk space checks, directory standardization checks, and archive checks.
Regularly inspect the server usage status of the source code management platform. The contents of the inspection include but are not limited to server performance inspection, regular backup inspection, and server security inspection.
Quarterly operating report of the source code platform is issued every quarter.
Regularly conduct source code management platform vulnerability detection and various patch version maintenance.

Seven summary

This document is mainly for guidance, and needs to be adjusted and revised according to the specific situation.

Source code security management specification