IT Security Standard: Web Application Version Control

Brief Description:

To ensure the tracking and documentation of changes, and the integrity and retention of source code, developers of all campus web applications are required to use a version control system.


Version control systems allow tracking and documentation of changes to software, management of concurrent access when multiple people must work on the same files, comparison of the differences between versions of source code, and simplified recovery to an earlier version in case of errors.


This standard applies to any departments that develop and maintain web applications.



  1. A version control system must be used to track and retain information about changes.
  2. Appropriate security must be implemented to prevent the users of individual accounts from accessing or modifying another account’s data via the version control system or the operating system.
  3. The version control system, along with its data, must be backed up on a regular basis.


  1. At a minimum, the version control system should describe the change, record who made the change, retain the date/time of change; retrieve past versions; and compare versions.  Commonly used version control systems are Bazaar, CVS, Darcs, Git, Mercurial, Monotone, SVK, and SVN. Refer to the “Related Procedures and Resources” section below for a link to a comparison of some version control software.
  2. Content management systems should be used for implementing version control on static web pages.


Web Application - For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and that dynamically accepts user input.


All developers must have the proper authority and security access to implement software changes.

Non-Compliance and Exceptions:

Applications may be scanned or physically examined for compliance with this standard at any time.  If a web application is found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the Information Security Office, the host device may be removed from the Cal Poly network until it does comply.  If it is technically infeasible for an information asset to meet this standard, departments must submit a request for exception to the Vice Provost/CIO and Information Security Officer for review and approval.


Effective Date: 9/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages
9/30/2010 Release of New Document All
9/05/2014 Reviewed All


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips