ISO 27001:2022 Annex A 8.28 – Secure Coding

• See ISO 27002:2022 Control 8.28 for more information.

ISO 27001 Annex A 8.28: Strengthening Software Security with Secure Coding

The use of poor coding practices, such as incorrect input validation and weak key generation, can lead to cyber-attacks and the compromise of sensitive information assets.

For this reason, hackers exploited the infamous Heartbleed bug to access more than 4 million patient records.

To prevent security vulnerabilities, organisations need to follow secure coding principles.

What Is The Purpose of ISO 27001:2022 Annex A 8.28?

Per ISO 27001:2022, Annex A Control 8.28 assists organisations in preventing security risks and vulnerabilities that may arise due to poor software coding practices through developing, implementing, and reviewing appropriate secure software coding practices.

Who Has Ownership of Annex A 8.28?

A chief information security officer should be responsible for taking appropriate steps to ensure compliance with 8.28, which requires developing and implementing secure coding principles and procedures throughout the organisation.

Compliance Guidelines on ISO 27001:2022 Annex A 8.28

Organisations must develop and implement secure coding processes that apply to products supplied by external parties and open-source software components, as outlined in ISO 27001 Annex A Control 8.28.

In addition, organisations should remain informed about evolving real-world security threats and the latest information on known or potential software security vulnerabilities. By using this approach, organisations can develop robust, secure coding principles to combat evolving cyber threats.

Supplementary Guidance on Planning

It is essential that both new coding projects and software reuse operations adhere to secure software coding principles.

These principles should be adhered to both when developing software internally and when transferring software products or services.

Organisations should consider the following factors when developing a plan for secure coding principles and determining prerequisites for secure coding:

• Security expectations should be tailored to the organisation’s specific needs, and approved principles for secure software code should be established to apply to in-house software development and outsourced components.
• Organisations should identify and document the most prevalent and historical coding design mistakes and poor coding practices to prevent data security breaches.
• Organisations should implement and configure software development tools to ensure the security of all code created. Integrated development environments (IDEs) are an example of such tools.
• Software development tools should provide guidance and instructions to assist organisations in complying with the guidelines and instructions.
• Developing tools such as compilers should be reviewed, maintained, and used securely by organisations.

Supplementary Guidance on Security During Coding

To ensure secure coding practices and procedures, the following should be considered during the coding process:

• Coding principles for secure software should be tailored to each programming language and technique.
• Test-driven development and pair programming are examples of secure programming techniques and methods.
• Implementation of structured programming techniques.
• Documentation of the code and the removal of defects in the code.
• Using insecure software coding methods such as unapproved code samples or hard coded passwords is prohibited.

A security test should be conducted during and after development, as specified in ISO 27001 Annex A Control 8.29.

Organisations should consider the following items before implementing the software in a live application environment:

• Is there an attack surface?
• Is the least privilege principle followed?
• Analysing the most prevalent programming errors and documenting their elimination.

Supplementary Guidance for the Review Process

Following the Implementation of the Code in the Production Environment

• A secure method should be used to apply updates.
• Per ISO 27001:2022 Annex A Control 8.8, security vulnerabilities should be addressed.
• Records should be kept of suspected attacks and errors on information systems, and these records should be reviewed regularly so that appropriate changes can be made.
• The use of tools such as management tools should be used to prevent unauthorised access, use, or modification of source code.

Organisations Should Consider the Following Factors When Using External Tools

• Regular monitoring and updating of external libraries should be conducted per their release cycles.
• A thorough review, selection, and authorisation of software components are essential, particularly those related to cryptography and authentication.
• Obtaining licenses for external components and ensuring their security.
• There should be a system for tracking and maintaining software. Moreover, it must be made certain that it has come from a reputable source.
• It is essential to have long-term development resources available.

The Following Factors Should Be Taken Into Consideration When Making Changes to a Software Package:

• Integrity processes or built-in controls may expose an organisation to risks.
• It is essential to determine whether the vendor has consented to the changes.
• Can the vendor’s consent be obtained to perform regular updates on the software?
• The likely impact of maintaining the software as it changes.
• What effect will the changes have on other software components the organisation uses?

Additional Guidance on ISO 27001:2022 Annex A 8.28

Organisations must make sure they use security-relevant code whenever necessary and that it is resistant to tampering.

Annex A Control 8.28 of ISO 27001:2022 makes the following recommendations for security-relevant code:

• While programs downloaded via binary code will include security-related code in the application itself, it will be limited in scope to data stored internally within the application.
• Keeping track of security-relevant code is only useful if it is run on a server that cannot be accessed by the user and is separated from the processes that are using it so that its data is kept secure in another database and safely segregated from the processes that use it. The use of a cloud service to run an interpreted code is possible, and you can restrict access to the code to privileged administrators to restrict access to the code. The recommendation is that these access rights be protected with just-in-time administrator privileges and robust authentication mechanisms that only grant access to the site at the right time.
• A suitable configuration should be implemented on web servers to prevent unauthorised access to and browsing of directories on the server.
• To develop secure application code, you must assume that the code is vulnerable to attacks due to coding errors and actions taken by malicious actors. A critical application should be designed to be immune to internal faults in a way that prevents it from being prone to errors. For example, when evaluating the output of an algorithm, it is possible to ensure that the output conforms to security requirements before the algorithm can be used in critical applications, such as those related to finance, before it can be used in the application.
• Due to a lack of good coding practices, certain web applications are highly susceptible to security threats, such as database injection and cross-site scripting attacks.
• It is recommended that organisations refer to ISO/IEC 15408 for more information on IT security evaluation and how to conduct it.

What Are the Changes From ISO 27001:2013?

Annex A 8.28 is a new Annex A control that has been added to the ISO 27001:2022 standard.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Helps

Whether you are completely new to information security or want to learn about ISO 27001 concisely without having to spend time reading long and detailed documents or learning from scratch, our platform is designed specifically for you.

Using ISMS.Online, you will easily access document templates, checklists and policies that can be customised to meet your needs.

Would you like to see how it works?

Get in touch today to book a demo.