Control 8.25 : Secure Development Life Cycle

Summary

Rules for the secure development of software and systems should be established and applied. This ensures that security is integrated into every phase of the development process, rather than being added as a final step.

Applicability

In-Scope: Mandatory for any organization that writes custom code, develops internal apps, or manages complex scripts. It is critical for preventing the introduction of vulnerabilities into the production environment.

Out-of-Scope: Only applicable if the organization performs zero software development, customization, or scripting.

Implementation Guidance

Microsoft 365 / Entra ID

Integrated Security: Use GitHub Advanced Security or Azure DevOps to integrate automated security scanning (SAST/DAST) into the CI/CD pipeline.
Peer Review: Enforce branch protection rules in Azure DevOps that require at least one peer review and a successful security scan before code can be merged.
Developer Training: Provide developers with access to secure coding resources and ensure they are briefed on the OWASP Top 10 vulnerabilities.

Evidence Checklist

Secure Coding Standards: Documented guidelines that developers must follow (e.g., input validation, error handling).
Pipeline Logs: Evidence that automated security tests were run and passed for recent software releases.
Review Records: Audit trails showing that peer reviews were conducted for all changes to production code.

Practical Audit Advice

Here are some questions the auditor might ask:

At what stage of the development lifecycle is the security team involved in reviewing the architecture or design?
How do you ensure that secrets like API keys or database passwords are never committed to the source code repository?
What is the process for handling a critical security vulnerability discovered in a piece of software that is already in production?
Can you demonstrate that the development, testing, and production environments are physically or logically separated?