ISO 27001 and the Evolution of Secure Coding

ISO 27001 is a globally recognized international standard that offers a systematic approach to managing information security. When used with its guidance document, ISO 27002, it provides standardized requirements and best practices for creating and maintaining an Information Security Management System (ISMS).

In 2022, the release of the ISO 27002:2022 document included additions to enable information security professionals to address the latest information security risks. One of the most prominent additions is 8.28 Secure Coding, which provides requirements for protecting sensitive data and other personal information during the Software Development Life Cycle.

This blog will provide a technical introduction to ISO 27001 and discuss:

• Important changes in 27002:2022
• What is secure coding
• What is included in the ISO Secure Coding provision
• A guide to secure coding activities

What is ISO 27001?

ISO 27001 is an international standard that was published as a joint effort by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013 and more recently in 2022 to account for the ever-changing risk landscape.

ISO 27001 specifies requirements for establishing, implementing, maintaining, and continuously improving an information security management system (ISMS). It is important for any organization that handles sensitive information to adapt its strategies based on its size, its needs, and any relevant potential for risk. Most ISO 27001 provisions are based on the information security principles of Confidentiality, Integrity, and Availability (CIA), which define their protection criteria.

Organizations that are confident about their implementation of an ISMS based on ISO 27001 can get certified by an accredited certification body after the completion of a three-stage external audit process that verifies their implementation.

What is ISO 27002?

As counterpart to ISO 27001, ISO 27002 provides best practices and additional information for implementing the ISMS. It got its origin in the early 1990s with corporate security standards provided by Shell to the UK government, which then became the British Standard BS 7799. In 2000, BS 7799 became ISO/IEC 17799 and was renamed in 2007 to ISO/IEC 27002 in order to stay consistent with the other standards in the ISO/IEC 27000 series. Since then ISO/IEC 27002 has seen revisions in 2005, 2013, and most recently in 2022.

ISO 27002 certification isn’t a thing, because it is merely an advisory document meant to be interpreted by the implementing company based on their specific risk requirements. However, ISO 27001 aligns itself with 27002, which means that the provisions in 27002 still must be implemented to get 27001 certification.

Important changes in 27002:20222

ISO 27002:2022 introduced updates to catch up with changes in legislation and technology as well as evolving threats in the industry. Despite these updates, the document’s purpose remains the same as it still provides controls meant to be implemented within the context of an ISMS based on 27001.

Changes in 27002:2022 include:

• There are now 4 themes instead of 14 domains.
• The number of security controls was reduced from 114 to 93
• There are 11 new controls, one of which is 8.28 Secure Coding

What is secure coding?

Secure coding is the practice of preventing security vulnerabilities in written code by writing code that follows strict principles. These principles govern coding techniques, practices, and the decision-making process of developers writing the code.

What is included in the ISO Secure Coding provision?

ISO 27001 8.28 is broken down into sections covering different phases of the SDLC.

General secure coding activities

The ISO standard indicates that the organization should establish organization-wide processes to provide secure coding governance that covers both internally developed code and third-party software components including open source. The organization should also establish a minimum baseline and stay updated on new threats and vulnerabilities.

What to do before coding (planning and precoding)

The ISO 27002 guidance document recommends taking advantage of the planning stage to set standards and expectations for secure coding for both internal and outsourced development. Establishing developer proficiency in secure coding through training and education should be a focal point for organizations.

The guideline further suggests keeping development tools up to date and properly configured to support coding standards enforcement. This entails setting stringent access rights to preserve code privacy and security during its creation. Threat modeling should be an essential part of the application’s architecture and design, potentially encompassing scenarios where the system is attacked or compromised.

What to do while coding

When coding, ISO 27002 suggests using secure, language-specific practices and structured programming techniques for easier comprehension and debugging. The code should be appropriately documented to facilitate collaborative methods like pair programming and peer reviews for detecting and removing code defects and avoiding insecure programming techniques like hard-coded passwords, lack of input validation, and so on. This combined approach bolsters security and improves code quality.

Testing, both during development and post-development, is crucial for removing security-related bugs before the software is deployed. ISO 27002 recommends using Static Application Security Testing (SAST) as needed. Prior to operationalizing software, assessing the attack surface, confirming the application of the principle of least privilege in the code, and validating the code against common errors while documenting their mitigation are all relevant activities to be performed. This ensures robust software security before deployment.

What to do while performing review and maintenance

After deploying the code, ensure that the live environment is checked consistently for vulnerabilities by scanning with a DAST/SAST tool as needed, enabling and regularly reviewing the active logging of errors and security events, and performing penetration tests. Whatever vulnerabilities surface from these exercises should be handled promptly, and updates that fix the vulnerabilities should be securely packaged and deployed. Also, protect the source code from unauthorized access or tampering by using configuration management tools.

When incorporating external tools and libraries, look for trustworthy sources that are trackable and maintainable and have long-term development resources available. Ensure they are securely managed and updated regularly in release cycles. Choose authorized and validated third-party components for critical tasks like authentication and encryption.

When modifying third-party software, consider the risk if its built-in defenses are compromised, and whether vendor consent is required. It might be more appropriate for the vendors to make and release those required changes as updates. Assess the impact of bearing the responsibility of future maintenance on the organization and evaluate the compatibility of the changes with other software components.

How can SD Elements help?

Two primary means through which the practice of secure coding can become ingrained within an organization are security standards and developer education. SD Elements facilitates secure coding throughout the Software Development Life Cycle by gathering data about the specifics of the infrastructure (such as the technical stack, deployment context and regulatory requirements) through a survey and recommending relevant security countermeasures and practices to follow before, during, and after coding.

These countermeasures are largely based on relevant standards and guidelines like ISO/IEC 27001 and 27002, tailored by an internal team of researchers to the specifics of a particular infrastructure. SD Elements can integrate with different DAST/SAST scanners and project management tools to help maximize secure coding productivity.

Security Compass also provides developer education through training courses that cover secure coding practices for specific programming languages and techniques.