Skip to contentCYBERINFO
TechnologicalControl 8.28

Secure Coding

Summary

Secure coding principles should be applied to software development. This reduces the number of security vulnerabilities in custom-written code by ensuring developers use safe functions, validate all inputs, and manage memory and errors correctly.

Applicability

In-Scope: Mandatory for any organization that develops internal applications, custom scripts, or automated workflows. It is the primary defense against common flaws like SQL injection and cross-site scripting (XSS).

Out-of-Scope: Only applicable if the organization performs zero custom programming, scripting, or API integration work.

Implementation Guidance

Microsoft 365 / Entra ID

  • Development Tools: Utilize Visual Studio or VS Code with security extensions to identify insecure coding patterns in real-time as developers write code.

  • Static Analysis (SAST): Integrate GitHub Advanced Security or Azure DevOps security tasks to automatically scan code for vulnerabilities every time it is committed to a repository.

  • Library Management: Use tools like Dependabot to automatically identify and update out-of-date or vulnerable software libraries used in custom code.

Evidence Checklist

  • Secure Coding Guidelines: A documented set of rules for developers, such as the OWASP Top 10 mitigation strategies.

  • Automated Scan Reports: Logs from the CI/CD pipeline showing that code scans were performed and that critical vulnerabilities were remediated.

  • Peer Review Records: Audit trails in GitHub or Azure DevOps showing that a second person reviewed the code for security flaws before merging.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What specific secure coding standard (e.g., OWASP, CERT) does the organization use as its primary reference?

  • How are developers trained on secure coding practices, and how often is this training updated?

  • Can you provide a recent report showing that a high-severity vulnerability was identified by an automated scan and subsequently fixed?

  • How do you ensure that hardcoded secrets (passwords, API keys) are never included in the source code?

Templates for this control

Downloadable ISO 27001:2022 templates relevant to this control. Use them as a starting point for your own documentation.

Code Review Checklistxlsx

Security-focused code review checklist covering OWASP Top 10 and common vulnerability patterns.

Download
Secure Coding Standardsdocx

Programming guidelines and requirements to prevent common security vulnerabilities in code.

Download

See all templates on the Templates page.