10.1 Security requirements of systems - security requirements should be analyzed, fully identified and agreed at the earliest stage of the systems development process.
10.2 Security in application systems - data entry, processing and output validation controls and message authentication should be included as appropriate (according to risk).
10.3 Cryptographic controls - a cryptography policy should be defined, covering roles and responsibilities, digital signatures, non-repudiation, management of keys and digital certificates etc.
10.4 Security of system files - access to system files (both executable and source code) and test data should be controlled.
10.5 Security in development and support processes - application system managers should be responsible for controlling application system access and changes, including system patches. Vendor-supplied applications should ideally not be modified. Checks should be made for covert channels and Trojans if these are a concern. A number of controls are outlined for outsourced development.