What is ISO 27001 Secure Coding?
ISO 27001 Annex A 8.28 Secure Coding is an ISO 27001 control that requires us to develop code and software and systems with information security designed and built in. You may hear the term – ‘security by design and default’. The goal is to reduce the number of potential information security weaknesses in software.
Purpose
ISO 27001 Annex A 8.28 is a preventive control to ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
Definition
The ISO 27001 standard defines ISO 27001 Annex A 8.28 as:
Secure coding principles should be applied to software development.
ISO27001:2022 Annex A 8.28 Secure Coding
Implementation Guide
I am not in the business of telling you how to develop either systems or software. These are professions in their own right. Whilst I am a degree educated and time served software engineer, what I am going to do is show you want the ISO 27001 standard expects in the implementation for you to achieve ISO 27001 certification. These are on the whole, no brainers, common sense and what you would expect but let us take a look anyway.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Secure Development Policy
The first step is to create, or download, your secure development policy. The secure development policy set’s out what you do for information security in the context of software and systems development. It does not set out how you do it, as how you do it is covered in your processes.
General
A lot of what is required here is covered in the other ISO 27001 Annex A Clauses and specifically you should pay attention to:
ISO 27001 Annex A 8.25 Secure Development Life Cycle
ISO 27001 Annex A 8.26 Application Security Requirements
ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles
You need to establish your processes for secure coding and set your security baseline. These should be applied to in-house as well as third party developers and open source software if applicable.
Threat Analysis
The use of threat analysis will be used to inform on vulnerabilities and guide the principles and processes that you have for secure coding.
More information on threat analysis is covered in: ISO 27001 Annex A 5.7 Threat Intelligence
Before Coding
Before you start coding the standard has considerations that cover new developments and reuse. These prerequisties include:
- Approved principles of secure coding
- Understanding of common and historical coding practices that lead to information security vulnerabilities
- Following development tool provider guidelines
- Maintaining, patching, updating development tools
- Secure design and architecture: ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles
- Use of a controlled development environment
During Coding
During coding you will evidence and have in place
- Practices and processes based on the principles agreed
- Use secure coding techniques
- Use structured programming techniques
- Document Code
- Prohibit and prevent insecure design technqiues
- Test during and after development
Once code is operational
Once code is operational and in place you will perform review and maintenance and consider
- Securely Packaging and Deploying Updates
- Handle Reported Information Security Vulnerabilities
- Log errors and suspected attacks
- Protect source code from unauthorised access
Third party tools and libraries
If you have used third parties tools or libraries then you will have ensured that you
- have appropriate licensing for what you are doing,
- done due diligence and vetting
- acquired from an authorised and trusted source
- understood the lifetime limitations, if any, on what you use
- assessed the risk
- assessed compatibility with existing software
Coding Guidelines
You are going to make sure that you have documented coding guidelines. These can be standard guidelines or industry best practice, and you likely already do this today, just make sure that this written down, communicated and available to those that need it.
Separate Environments
You are going to make sure that for the in-scope developments that you have separate development, test and live environments with the appropriate management and controls in place around this. This will include the process of promoting through those environments and the authorisations and approvals and acceptance.
Specification and Design
What ever methodology you use it is likely to have a specification and design phase. I am not sure of a situation where you would not, although could, but it is at these phases that you will evidence that information security was considered. Here we place a lot of reliance on ISO 27001 Annex A 5.8 Information Security In Project Management. The same is true when it comes to security checkpoints in projects.
The advice here would be to have in your project management either a placeholder in an existing template / document or create a security specific one. Be sure you are considering things like access requirements, data transfers, technical controls, risks and risk mitigations. Have checkpoints with go / no go decisions and a process for what you do if the checkpoint fails.
Testing
All secure development will have testing. It is not our place, again, to tell you how to test as again, this is a profession in its own right but there must be a level of security testing in place that looks at the three parts of information security being confidentiality, integrity and availability.
Simple testing that can be considered here would be penetration testing, vulnerability testing, regression testing, code scanning and code testing.
Code Repositories
The configuration and management of code and code libraries should be carefully considered and documented. Many tools exist that can help with this and automate many of the tasks.
Knowledge and Experience
The standard touches on this in a number of areas, having people with the right knowledge and / or experience to perform the role. This is also true of the secure development lifecycle. Having a competency matrix and being able to point to qualifications or certifications will help. Where there are gaps a plan, such as training, should be in place but these are basic HR and people functions that are common place in any role.
Outsourced Development
If you outsource your development then the third party supplier controls will apply. The main thing is to ensure they meet your requirements for secure development but all relevant controls will apply to them.
Conclusion
Many if not all of the controls that apply to this control are covered elsewhere. Be it the experience, licensing, technical controls but consider them in the context of this clause and be able to evidence them as they apply to secure development.