Secure application programming has become a key asset for companies, and not just because of new standards like ISO/IEC 27002. A Google search for “secure coding” yields 180,000,000 hits, correspondingly, there are countless reports, guides, and principles on this topic. This is one more reason to devote more time to secure development. A new version of the ISO/IEC 27002 standard was published in 2022 (see also the blog post ” The new ISO/IEC 27002 “). This blog series is intended to give anyone interested a first insight into the new controls contained in the new 27002:2022 standard. In this post, we introduce you to the “8.28 Secure Coding” control 2022 – Blog series.
Why secure programming is an important asset 2022 – Blog series
To understand secure programming, it is often enough to look at what happens when the delivered software contains errors. There are countless software projects in the world, italy business fax list and none of them will be error-free. Nevertheless, it is advisable to avoid careless errors from the outset and to adhere to a few principles of secure programming. The OWASP Top 10 list , for example , offers guidance on appropriate error prevention for web applications. This list lists the critical vulnerabilities for web applications every year.
Previous implementation of the standard
For the auditing and certification of an information security management system (ISMS) according to ISO/IEC 27001, several measures from the annex and the previous version of 27002 were previously available as supporting descriptions on the topic of “secure programming.” These standards already touch on several aspects, woocommerce seo plugins overview which will be discuss in much greater detail below. A central aspect of the old standard concerns documentation. In the style of work instructions, it is intended to guide developers and other legitimate stakeholders in the source code on how to handle various programming languages, change management, and other aspects of software development.
What’s new?
Control 8.28 now addresses the principles of secure coding. According to this, companies should generally ensure a minimum level of security and control of the programming they use. This includes both in-house developments and components and libraries from integrated (third-party) software. So far, so same.
In contrast to previous requirements, the new standard divides software development into three phases: the planning and preparation phase for programming (section “Planning and before coding”), the phase during coding (section “During coding”), and the follow-up phase in the form of review and maintenance (section “Review and maintenance”).
Planning and preparation
Within the specialist departments – before the first line of code is written – overarching, shar values and recogniz principles, such as the OWASP Top 10 describ above, email data should be agre upon. These jointly develop principles can serve as a basis for subsequent projects, but should be review at regular intervals. Part of this phase also includes questioning common . Programming practices if they could lead to vulnerabilities in existing or new software. The programs required for programming should also be provid during this phase. This includes at least one development environment, a repository, a build server . Depending on the needs and size of the team, a tool for project management and organization. If a development infrastructure already exists, it should be regularly maintain and updat. developer clients.
The programming phase
For development, further aspects be taken into account during programming including applying safe practices of the respective programming techniques and always keeping up to date with innovations in programming languages.