Series: New Controls in ISO/IEC 27001:2022 Annex A

Secure Coding

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The final article of the series explores the new technological control 8.28 (Secure coding).

Control

Control 8.28 (Secure coding) defines the best practices for secure coding during software development.

Attributes

Implementation of this control would help an organization prevent the introduction of vulnerabilities during software development. This would help in protecting the confidentiality, integrity and availability of information systems, applications and networks.

Implementation

The organization should establish processes and governance for secure coding that applies to in-house software development, outsourced software development and open-source software. The secure coding principles should be designed considering real-world threats and up-to-date information on software vulnerabilities.

Activities before coding may include the configuration of secure development environments and tools, recruitment / identification of competent developers, and preparation of secure design and architecture. During coding, secure programming techniques (e.g. programming in pairs, performing peer reviews etc.) should be followed, programming defects must be removed, and code should be properly documented. Static application security testing (SAST) processes may be used to identify security vulnerabilities in software. After deployment of the software, continuous maintenance should be undertaken, including protection of source code against unauthorized access, identifying bugs and errors in the software, and providing security updates and patches.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

• Secure Development Policy – This policy establishes the best practices for secure software development within the organization.

• Outsourcing and Supplier Policy – This policy includes the best practices for outsourced software development.

• Software Installation Policy – The purpose of this policy is to ensure secured installation of software in the organization’s systems.

• Secure Coding Procedure – This document provides procedures for secure coding within, and for, the organization.

• Technical Vulnerability Management Procedure – Rules for the management of technical vulnerabilities within software are defined in this procedure.

• Code Documentation – This should describe the secure coding techniques that have been followed, and the security measures that have been incorporated within the software.

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.