Skip to contentCYBERINFO
|

Control 8.28 : Secure Coding

Summary

Secure coding principles should be applied to software development. This reduces the number of security vulnerabilities in custom-written code by ensuring developers use safe functions, validate all inputs, and manage memory and errors correctly.

Applicability

In-Scope: Mandatory for any organization that develops internal applications, custom scripts, or automated workflows. It is the primary defense against common flaws like SQL injection and cross-site scripting (XSS).

Out-of-Scope: Only applicable if the organization performs zero custom programming, scripting, or API integration work.

Implementation Guidance

Microsoft 365 / Entra ID

  • Development Tools: Utilize Visual Studio or VS Code with security extensions to identify insecure coding patterns in real-time as developers write code.

  • Static Analysis (SAST): Integrate GitHub Advanced Security or Azure DevOps security tasks to automatically scan code for vulnerabilities every time it is committed to a repository.

  • Library Management: Use tools like Dependabot to automatically identify and update out-of-date or vulnerable software libraries used in custom code.

Evidence Checklist

  • Secure Coding Guidelines: A documented set of rules for developers, such as the OWASP Top 10 mitigation strategies.

  • Automated Scan Reports: Logs from the CI/CD pipeline showing that code scans were performed and that critical vulnerabilities were remediated.

  • Peer Review Records: Audit trails in GitHub or Azure DevOps showing that a second person reviewed the code for security flaws before merging.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What specific secure coding standard (e.g., OWASP, CERT) does the organization use as its primary reference?

  • How are developers trained on secure coding practices, and how often is this training updated?

  • Can you provide a recent report showing that a high-severity vulnerability was identified by an automated scan and subsequently fixed?

  • How do you ensure that hardcoded secrets (passwords, API keys) are never included in the source code?