Secure Development Practices Policy

Document Owner: Pobl Tech Limited (T/A Pobl)

Overview

This policy defines how security is embedded throughout the design, development, testing, deployment, and maintenance of all digital systems and services delivered by Pobl.

Its purpose is to ensure that systems are built and maintained in a way that protects data, reduces risk, and prevents vulnerabilities arising from development activity.

Security is treated as a core requirement at every stage of delivery.

Scope

This policy applies to all development and technical configuration work undertaken by Pobl, including:

Website and application development
Content management systems
Form handling and data processing
API development and integrations
Configuration changes and updates
Maintenance, enhancements, and defect resolution

It applies across all environments, including development, testing, staging, and production.

Our approach

We ensure that security is considered and applied throughout the full development lifecycle.

This includes:

Designing systems with security in mind from the outset
Following established coding standards and best practice
Applying controlled deployment and release processes
Maintaining systems securely over time

Security is not treated as an add-on. It is built into how systems are designed and delivered.

Secure design principles

Security requirements are identified during the planning and design stages of all work.

This includes consideration of:

Data sensitivity and classification
Authentication and authorisation requirements
Data flows between systems and services
Potential threats, misuse scenarios, and failure points

Design decisions take these factors into account, with appropriate safeguards applied.

Development standards and controls

All development work follows internal standards and recognised good practice.

This includes:

Avoiding hard-coded credentials, secrets, or keys
Validating and sanitising all user input
Protecting against common web application vulnerabilities
Using supported and maintained frameworks and libraries

Third-party components, plugins, and dependencies are reviewed before use and monitored for updates and security issues.

Environment management

Development, testing, and production environments are kept separate.

Live environments are not used for development or testing
Access to production systems is restricted to authorised personnel
Access is granted only where required for operational purposes

Testing and assurance

All changes are tested before deployment to ensure:

Intended functionality works as expected
Existing functionality is not affected
Security controls remain effective

Testing is proportionate to the nature of the change and may include functional, regression, and security-focused testing.

Deployment and release management

Deployments follow a controlled and documented process aligned with our Change Management Process.

This includes:

Review and approval of changes before release
Defined deployment procedures
Rollback plans to allow recovery if needed

Emergency changes are recorded and reviewed after implementation.

Patch and dependency management

Frameworks, platforms, plugins, and libraries are monitored for updates and security advisories.

Security patches are applied in a timely manner
Updates are tested before release
Changes follow established control processes

Logging and monitoring

Where appropriate, systems record logs relating to:

Errors
Access events
Key system activity

Logs are protected and used to support monitoring, investigation, and incident response.

Responsibilities

Developers

Responsible for:

Following secure development practices
Applying this policy in day-to-day work

Technical leads

Responsible for:

Overseeing compliance
Reviewing development activity

Senior management

Responsible for:

Ensuring this policy is implemented and maintained
Compliance

Failure to follow this policy may introduce security risks and will be addressed through internal review and corrective action where required.

Review and maintenance

This policy is reviewed:

At least annually
Following significant changes to systems, technologies, or security requirements
Following major incidents or identified risks

Governance

The owner of this policy is Senior Management, Pobl Tech Ltd.

Responsibilities

The Document Owner is responsible for:

Keeping the policy accurate and up to date
Approving updates and changes
Ensuring the policy is communicated and applied

Approval

This policy has been reviewed and approved by senior management.

Approval confirms that the policy:

Reflects current working practices
Aligns with legal and contractual obligations
Is appropriate for the scale and nature of services delivered

Review schedule

This document will be reviewed:

At least annually
Following significant changes to systems, services, or regulatory requirements
Following major incidents or material changes in risk
Distribution

This policy is available to relevant staff and can be provided to clients or auditors where required.

Final note

Secure development is fundamental to how we deliver reliable and trusted digital systems.

By embedding security into every stage of the development lifecycle, we reduce risk and ensure that the platforms we build remain stable, secure, and fit for purpose over time.