This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.28 Secure coding.
ISO 27001: 2022 Control Description
Secure coding principles shall be applied to software development.
Purpose
To ensure that software is written securely, reducing the risk of information security vulnerabilities.
Guidance on implementation
Establishing Secure Coding Practices
Organisations should develop comprehensive processes to govern secure coding across all development activities. This includes setting a minimum security baseline that applies to both internally developed software and third-party or open-source components. Staying informed about current threats and vulnerabilities is crucial for continually improving secure coding practices to address the rapidly evolving threat landscape.
Planning and Preparation
Secure coding principles should be applied to all software development, whether creating new software or reusing existing code. This applies to both in-house and outsourced projects. Before coding begins, consider the following:
- Organisation-Specific Secure Coding Expectations: Define and communicate secure coding standards for all development projects.
- Common Security Vulnerabilities: Be aware of common coding practices that lead to security vulnerabilities.
- Development Tools Configuration: Configure development tools, like Integrated Development Environments (IDEs), to support secure coding.
- Guidance from Tool Providers: Follow the security guidelines provided by the creators of development tools and platforms.
- Updated Tools: Ensure that development tools, such as compilers, are up-to-date.
- Developer Training: Ensure developers are qualified in secure coding practices.
- Secure Design and Architecture: Incorporate security from the design phase, including threat modelling.
- Secure Coding Standards: Implement and mandate secure coding standards as applicable.
- Controlled Development Environments: Use secure, controlled environments for development.
During Coding
While coding, keep the following in mind:
- Language-Specific Secure Practices: Apply secure coding practices tailored to the programming languages in use.
- Secure Programming Techniques: Use techniques like pair programming, refactoring, peer reviews, security iterations, and test-driven development.
- Structured Programming: Follow structured programming techniques to enhance security.
- Code Documentation and Defect Removal: Document the code thoroughly and eliminate defects that could lead to security vulnerabilities.
- Avoid Insecure Design: Prohibit the use of insecure design methods, such as hard-coded passwords and unauthenticated web services.
Security testing should be performed throughout development, including static application security testing (SAST) to identify vulnerabilities.
Before making software operational, evaluate:
- Attack Surface and Least Privilege: Minimise the attack surface and apply the principle of least privilege.
- Common Programming Errors: Analyse and mitigate common programming errors.
Review and Maintenance
After the software is deployed:
- Secure Updates: Ensure that updates are securely packaged and deployed.
- Vulnerability Management: Address reported security vulnerabilities promptly.
- Logging and Monitoring: Log errors and suspected attacks, regularly reviewing these logs to improve code security.
- Source Code Protection: Protect source code from unauthorised access and tampering using tools like configuration management systems with access and version control features.
External Tools and Libraries
When using external libraries or tools, consider the following:
- Library Management: Maintain an inventory of libraries and ensure they are regularly updated.
- Component Selection: Choose well-vetted components, particularly for authentication and cryptographic purposes.
- Licence and Security History: Verify the licence, security, and history of external components.
- Long-Term Maintainability: Ensure that software is maintainable, tracked, and from reputable sources.
- Development Resources Availability: Ensure long-term availability of development resources and artefacts.
Modifying Software Packages
If a software package needs modification:
- Risk of Compromised Controls: Assess the risk of compromising built-in controls and integrity processes.
- Vendor Consent: Consider whether to obtain the vendor’s consent for modifications.
- Vendor Updates: Check if the required changes can be obtained through standard vendor updates.
- Future Maintenance Impact: Evaluate the impact of taking on future maintenance responsibilities.
- Compatibility: Ensure compatibility with other software in use.
Additional Information
- Security-Related Code: Ensure that security-relevant code is always invoked when needed and is tamper-resistant.
- Compiled vs Interpreted Code: For interpreted languages, consider running code on a secure server where access is tightly controlled. Use security mechanisms like just-in-time administration and strong authentication to protect administrator access.
- Assume Vulnerability: Design application code with the assumption that it could be subject to attack, and build in checks to ensure that output remains within safe boundaries, especially in critical applications.
- Web Application Security: Be aware of vulnerabilities specific to web applications, such as SQL injection and cross-site scripting, and design to mitigate these risks.