Poor coding practices such as improper input validation and weak key generation can expose information systems to security vulnerabilities and result in cyber attacks and compromise of sensitive information assets.
For example, in the infamous Heartbleed bug incident, hackers exploited improper input validation in the code to gain access to more than 4 million patients’ data.
Therefore, organisations should ensure that secure coding principles are followed so that poor coding practices do not lead to security vulnerabilities.
Control 8.28 enables organisations to prevent security risks and vulnerabilities that may arise as a result of poor software coding practices by designing, implementing, and reviewing appropriate secure software coding principles.
Control 8.28 is a preventive type of control that helps organisations maintain the security of networks, systems, and applications by eliminating risks that may arise out of poorly-designed software code.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application Security #System and Network Security | #Protection |
Considering that 8.28 requires the design and implementation of organisation-wide secure coding principles and procedures, the chief information security officer should be responsible to take appropriate steps for compliance.
Control 8.28 requires organisations to establish and implement organisation-wide processes for secure coding that applies to both software products obtained from external parties and to open source software components.
Furthermore, organisations should keep up to date with evolving real-world security threats and with the most recent information on known or potential software security vulnerabilities. This will enable organisations to improve, and implement robust secure software coding principles that are effective against evolving cyber threats.
Secure software coding principles should be followed both for new coding projects and for software reuse operations.
These principles should be adhered to both for in-house software development activities and for the transfer of the organisation’s software products or services to third parties.
When establishing a plan for secure coding principles and determining the prerequisites for secure coding, organisations should comply with the following:
Secure coding practices and procedures should take into account the following for the coding process:
Supplementary Guidance also notes that security testing should be performed both during and after the development in accordance with Control 8.29.
Before putting the software into actual use in the live application environment, organisations should consider the following:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
Organisations should ensure that security-relevant code is used when it is necessary and is resistant to tampering.
Control 8.28 also lists the following recommendations for security-relevant code:
27002:2022/8.28 is a new type of control.
Our platform has been developed specifically for those who are new to information security or need an easy way to learn about ISO 27002 without having to spend time learning from scratch or reading through lengthy documents.
ISMS.Online comes equipped with all the tools needed for achieving compliance including document templates, checklists and policies which can be customised according to your needs.
Want to see how it works?
Get in touch today to book a demo.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |