top of page

ISO27001:2022─Secure coding

Nowadays, security vulnerabilities are caused by program errors, and application operation vulnerability control will cause serious privacy leakage, which will lead to major security risks, so that the developed programs cannot be easily leaked, and it is extremely convenient and important for hackers to obtain devices.

In A.14.2 of the old version, ISO27001:2013, the development and support process are divided into two aspects: the security of the development environment and the security of the development process after the revision. A.8.25 of the new version of ISO27001:2022 maintains the development cycle, which focuses on the security of the development process, and requires confirmation of the security of the development cycle in terms of services, hardware architecture, and software systems.

A.8.28 of the new ISO27001:2022 program development security (Secure coding) focuses on the security of the development process, requiring organizations to establish a process, and propose minimum security guidelines for the three stages of software development: Reduce information security breaches.

Today, many engineers are so-called "copy-and-paste engineers" who directly use the code found on the Internet to implement functions. Therefore, we often find code with the same vulnerability in many different programs, on the Internet. There is a lot of code that only cares about the execution result and doesn't care if there are security risks. An application is best designed to assume that it is always under attack. Developers need to evaluate the possible attack surface of the application. Any execution that can be affected by user input requires special care.

The safety of program development should also be combined with the control item A.8.16 of ISO27001:2022-Monitoring activities in a timely manner, to monitor various exceptions of the program, and record the errors that occur in the program to facilitate subsequent maintenance and find out by analyzing the LOG file. And eliminate errors, and finally developed results need to be packed, code obfuscation and other source code protection mechanisms, in order to increase the cost and difficulty of reverse engineering and tampering by hackers. Finally, in terms of post-maintenance, in order to avoid sparseness in the development process, the organization must ensure that the program has a secure update pipeline and can make immediate repairs when vulnerabilities are discovered to avoid damage expansion.

-ASF ISMS Lead Auditor Dan Lin


bottom of page