Table of contents
- ISO 27002 Secure Coding
- What is ISO 27002:2022 Control 8.28?
- Definition of ISO 27002 Control 8.28
- Purpose of ISO 27002 Control 8.28
- Ownership of ISO 27002 Control 8.28
- Compliance Guidance
- Supplementary Guidance on ISO 27002 Control 8.28
- Changes and Differences to ISO 27002:2013
- ISO 27002 Control 8.28 FAQ
- ISO 27002 Control 8.28 Attributes Table
ISO 27002 Secure Coding
“Secure Coding” is a critical control because it focuses on building security directly into the software development process. Furthermore, it emphasises the importance of integrating security considerations directly into the software development process. This aligns with the concept of “security by design and default,” where security is built into the software from the ground up, rather than being an afterthought.
What is ISO 27002:2022 Control 8.28?
ISO 27002 Control 8.28 Separation of Development, Test and Production Environments provides implementation guidance on how to implement ISO 27001 Annex A 8.28.
Definition of ISO 27002 Control 8.28
ISO 27002 defines ISO 27002 Control 8.28 as – requiring the application of secure coding principles throughout the entire software development lifecycle.
This includes activities such as:
- Code reviews: Regularly reviewing code for security vulnerabilities.
- Threat modelling: Identifying and addressing potential security threats during the design and development phases.
- Secure coding standards: Adhering to established secure coding guidelines and standards.
- Developer training: Educating developers on secure coding principles and techniques.
Purpose of ISO 27002 Control 8.28
This is a preventive control is a proactive control that aims to prevent security vulnerabilities by ensuring secure software development practices.
Ownership of ISO 27002 Control 8.28
To ensure compliance with Control 8.28, the Chief Information Security Officer (CISO), in collaboration with the development team, is ultimately accountable.
Compliance Guidance
Organisations must establish and maintain robust processes for secure coding. This includes:
Establishing a Secure Coding Framework:
Define and implement organisation-wide secure coding standards and guidelines.
Establish a minimum security baseline for all software development activities.
Extend these practices to cover third-party components and open-source software.
Continuous Improvement:
Continuously monitor emerging threats and vulnerabilities.
Regularly review and update secure coding principles based on new information and best practices.
Before Coding:
Define clear expectations and approved principles for secure coding.
Analyse historical coding practices and common vulnerabilities.
Configure development tools (e.g., IDEs) to support secure coding practices.
Ensure developers are qualified and trained in secure coding techniques.
Incorporate secure design and architecture principles, including threat modelling.
During Coding:
Utilise secure coding practices specific to the programming languages being used.
Employ techniques like pair programming, code reviews, and test-driven development.
Adhere to structured programming principles.
Document code thoroughly and address identified defects promptly.
Prohibit the use of insecure design techniques (e.g., hard-coded passwords).
After Coding:
Conduct thorough security testing throughout the development and testing phases.
Securely package and deploy software applications.
Vulnerability Management:
Respond to reported vulnerabilities effectively (see 8.8).
Monitor logs for errors and suspected attacks to identify and address issues.
Protect source code from unauthorised access and tampering.
Using External Components:
Manage external libraries effectively (e.g., maintain an inventory and ensure timely updates).
Select and utilise well-vetted components, especially for critical functions like authentication and cryptography.
Consider the license, security history, and long-term availability of external components.
Modifying Software Packages:
Carefully consider the potential risks
Assess the impact of modifications on the integrity of built-in security controls.
Obtain vendor consent when necessary.
Evaluate the potential for obtaining required changes through standard program updates.
Determine the impact of potential future maintenance responsibilities.
Ensure compatibility with other software systems.
Supplementary Guidance on ISO 27002 Control 8.28
Secure Code Execution:
Tamper Resistance: Ensure that security-relevant code is executed as intended and cannot be easily modified or compromised.
Secure Execution Environments: For interpreted languages, restrict code execution to secure environments (e.g., servers with limited user access, cloud services with strong access controls) to minimise the risk of unauthorised access and modification.
Strong Authentication: Implement robust authentication and authorisation mechanisms for administrative access to secure environments.
Assume Breach:
Design applications under the assumption that they are always subject to attack, whether intentional or unintentional.
Implement fault tolerance mechanisms to minimise the impact of potential errors or attacks.
Prevent Common Vulnerabilities:
Address common web application vulnerabilities like SQL injection and cross-site scripting through secure design and coding practices.
External Guidance:
Refer to the ISO/IEC 15408 series for further guidance on information and communication technology (ICT) security evaluation.
Changes and Differences to ISO 27002:2013
Control 8.28 is a newly introduced control in ISO 27002:2022.
ISO 27002 Control 8.28 FAQ
ISO 27001 Annex A 8.28 is the information security control requirement of the ISO 27001 standard for ISO 27001 certification. ISO 27002 Control 8.28 is the implementation guidance for the control.
Yes, Secure Coding is a required information security control for ISO 27001 certification, if you do software development.
ISO 27002 Control 8.28 Attributes Table
Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
---|---|---|---|---|
Preventive | Confidentiality | Protect | Application Security | Protection |
| Integrity | | System and Network Security | |
| Availability | | | |