Common use of Application Development Clause in Contracts

Application Development. a. Stack provides software as a solution. In developing the software provided as the Service, Stack shall adopt secure coding practices that address at a minimum the Open Web Application Security Project (OWASP) top ten vulnerabilities. b. Stack will have documented policies and/or processes identifying where security checks, and the associated methods, are applied throughout the development lifecycle. c. Stack will ensure that logs of activities on customer interfaces (for example but not limited to web server and database logs) and IT admin activity logs, both at server and GUI level, are logged remotely from the servers themselves (if the Service is hosted on Stack’s third-party provider system). The logs will be retained as per ▇▇▇▇▇’s retention policies. d. At least annually, Stack shall, at its own cost, undertake an independent application and/or infrastructure penetration testing of Services provided to the Customer Group Company using an internationally recognised methodology such as OWASP. Evidence of independent testing can be provided, if requested in writing. e. Vulnerability scans shall be performed at least quarterly. Stack shall install (a) critical security patches within thirty (30) days of the vendor’s release date; and (b) non-critical security patches within ninety (90) days of the vendor’s release date.