ISO 27001:2022 Annex A Control 8.28

Abstract of Control 8.28: Secure coding

ISO 27001 Control 8.28: Secure Coding emphasizes integrating secure coding principles throughout your software development lifecycle (SDLC) to safeguard against vulnerabilities and protect the confidentiality, integrity, and availability of your systems.

Iso 27001 2022 Annex A Control 8.28 Secure Coding

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Protect

Operational Capabilities

  • Application Security
  • System and Network Security

Security Domains

  • Protection

Objective of Control 8.28

The primary goal of ISO 27001 Control 8.28 is to minimize vulnerabilities in software by embedding security into every line of code. Whether you’re building applications in-house or outsourcing development, secure coding ensures your software is robust and prepared to withstand both intentional attacks and accidental mishaps.

Purpose: Embedding Security into Software Development

Why does secure coding matter to your organization? Here’s the reality: insecure software can open doors to data breaches, operational disruptions, and financial loss.

  • Proactively identify and mitigate vulnerabilities during development.
  • Enhance software resilience against attacks.
  • fuel trust with your customers and stakeholders.

Governance and Secure Coding Standards

Before you start writing code, you need a solid foundation. This begins with governance:

  • Establish a Secure Coding Baseline: Define standards and best practices for developers to follow, tailored to your organization’s needs.
  • Monitor Threats: Stay updated on real-world vulnerabilities and emerging threats to refine your secure coding principles.
  • Apply Standards Organization-Wide: Extend secure coding practices to in-house development, outsourced projects, and third-party components.

Planning for Secure Development

A little preparation goes a long way in creating secure, resilient software. It starts with thoughtful planning.

Steps Before Coding

  1. Define Secure Coding Expectations: Clearly outline secure coding principles for both internal teams and outsourced partners.
  2. Learn from the Past: Analyze historical coding defects and vulnerabilities to avoid repeating mistakes.
  3. Configure Secure Tools: Set up Integrated Development Environments (IDEs) and compilers to enforce secure coding practices.
  4. Train Your Developers: Ensure all developers are qualified in writing secure code.
  5. Incorporate Threat Modeling: Identify potential risks and design secure architectures from the outset.

Best Practices During Coding

The coding phase is where vulnerabilities often creep in—but it’s also your chance to build your organizations defenses.

Secure Coding Techniques

  • Follow language-specific secure coding guidelines.
  • Use structured programming techniques to enhance code readability and security.
  • Prohibit insecure practices like hard-coded passwords, unverified web services, or unauthorized code samples.

Collaborative Coding Practices

  • Pair Programming: Two sets of eyes catch vulnerabilities faster.
  • Peer Reviews: Encourage team members to review each other’s work for security flaws.
  • Test-Driven Development: Write tests first to ensure code meets security requirements as it’s written.

Testing and Validation

Testing is where your secure coding principles are put to the test—literally.

Testing Activities

  1. Static Application Security Testing (SAST): Scan your code for vulnerabilities during development.
  2. Dynamic Testing: Simulate real-world scenarios to identify weaknesses in running applications.
  3. Security Reviews: Analyze the attack surface and ensure compliance with the principle of least privilege.
  4. Validate Configurations: Check firewalls, operating systems, and other components for secure configurations.

Maintenance and Continuous Improvement

Your job doesn’t end when the software goes live. Maintenance is crucial to keep your applications secure over time.

Ongoing Responsibilities

  • Secure Updates: Package and deploy updates securely to avoid introducing vulnerabilities.
  • Handle Vulnerabilities: Address reported issues promptly and update code as needed.
  • Protect Source Code: Use version control systems to prevent unauthorized access or tampering.
  • Review Logs: Regularly analyze logs for errors or suspected attacks to identify areas for improvement.

Managing Third-Party and Open-Source Components

Third-party libraries and open-source tools are invaluable, but they come with risks.

How to Manage External Components:

  • Maintain an inventory of libraries and their versions.
  • Use only well-vetted components for critical functions like authentication and cryptography.
  • Regularly update external libraries to address vulnerabilities.
  • Review licenses and histories of components to ensure compliance and security.

Mitigating Risks of Code Modifications

When modifying existing software, it’s important to assess and mitigate new risks:

  • Determine if changes could compromise built-in security features.
  • Evaluate compatibility with other software in your ecosystem.
  • Consider the long-term implications of in-house modifications, especially if vendor support is lost.

Avoiding Common Vulnerabilities

Certain vulnerabilities are especially common—and preventable:

  • SQL Injection: Always validate and sanitize inputs.
  • Cross-Site Scripting (XSS): Escape user input and output to prevent malicious scripts.
  • Buffer Overflows: Use safe programming languages or bounds-checking libraries.

Supporting Templates and Tools

Need help implementing secure coding? Templates can simplify the process and ensure consistency.

  • Secure Development Policy Template: Policy for securely development
  • Secure Coding Checklist Template: Track secure coding practices for each project.
  • Threat Modeling Template: Identify and address risks during design.
  • Code Review Documentation Template: Standardize peer review processes.
  • Vulnerability Management Template: Log and track resolution of security issues.

Related ISO 27001 Controls for Secure Coding

Control 8.29: Security Testing in Development and Acceptance

  • Relevance: Security testing verifies that secure coding practices have been effectively implemented.
  • Connection: Secure coding (Control 8.28) lays the foundation for secure development, while Control 8.29 ensures that vulnerabilities introduced during coding are identified and addressed through rigorous testing, such as Static Application Security Testing (SAST).

Control 8.8: Vulnerability Management

  • Relevance: Addresses identifying, documenting, and remediating vulnerabilities in software and systems.
  • Connection: Secure coding (Control 8.28) is a preventive measure to minimize vulnerabilities, while Control 8.8 provides a framework for managing and resolving any discovered vulnerabilities.
Control 8.27
ISO 27001 overview
Control 8.29