Nowadays, security vulnerabilities are caused by program errors, and application operation vulnerability control will cause serious privacy leakage, which will lead to major security risks, so that the developed programs cannot be easily leaked, and it is extremely convenient and important for hackers to obtain devices.
In A.14.2 of the old version, ISO27001:2013, the development and support process are divided into two aspects: the security of the development environment and the security of the development process after the revision. A.8.25 of the new version of ISO27001:2022 maintains the development cycle, which focuses on the security of the development process, and requires confirmation of the security of the development cycle in terms of services, hardware architecture, and software systems.
A.8.28 of the new ISO27001:2022 program development security (Secure coding) focuses on the security of the development process, requiring organizations to establish a process, and propose minimum security guidelines for the three stages of software development: Reduce information security breaches.
Today, many engineers are so-called "copy-and-paste engineers" who directly use the code found on the Internet to implement functions. Therefore, we often find code with the same vulnerability in many different programs, on the Internet. There is a lot of code that only cares about the execution result and doesn't care if there are security risks. An application is best designed to assume that it is always under attack. Developers need to evaluate the possible attack surface of the application. Any execution that can be affected by user input requires special care.
The safety of program development should also be combined with the control item A.8.16 of ISO27001:2022-Monitoring activities in a timely manner, to monitor various exceptions of the program, and record the errors that occur in the program to facilitate subsequent maintenance and find out by analyzing the LOG file. And eliminate errors, and finally developed results need to be packed, code obfuscation and other source code protection mechanisms, in order to increase the cost and difficulty of reverse engineering and tampering by hackers. Finally, in terms of post-maintenance, in order to avoid sparseness in the development process, the organization must ensure that the program has a secure update pipeline and can make immediate repairs when vulnerabilities are discovered to avoid damage expansion.
How should it be specifically implemented in internal processes?
Everyone can refer to the OWASP organization’s Secure Coding Practices Quick Reference Guide project, which regularly updates a set of security guidelines for software development that readers can quickly absorb.
Key chapters include Input Validation, Authentication and Password Management, Session Management, Access Control, Cryptographic Practices, Data Protection, and Communication Security.
In practice, organizations should incorporate relevant content into their procedural documents based on product requirements. If there are cases of outsourced development, this can also be included in contracts.
-ASF Dan Lin
Comments