Secure coding training for ISO 27001 compliance

Information security has become the pillar of a successful IT company, both in service and product companies. Having an information security certificate demonstrates to customers the existence of proper processes and reliability, and can be a decision factor in winning projects or increasing sales. Additionally, a security certificate makes the company managers review the best practices of protecting IT systems, and this security certificate not only strengthens the security posture of the business but also covers the responsibility of security leaders in case of an incident.

ISO 27001 compliance certification

The ISO 27001 security certification is one of the internationally recognized security certifications for businesses. ISO 27001 belongs to the set of security standards that explicitly requires the security training of all employees, including developers responsible for building the products and operating the business infrastructure. In order to build secure-by-design software, developers need to prepare themselves to go beyond just the mandatory compliance training.

Preparing developers for ISO 27001 security 

Below are a few selected security topics and controls developers need to pay special attention to. 

Information security training requirements for developers

At the very core of the standard, Objective A.7.2.2 states that “Information security awareness, education, and training needs to be delivered to all employees as relevant to their job function.” Not only that, but contractors also need to be given this awareness training. What else could be more relevant to developers than secure coding best practices? Developers and other engineers need to master the fundamentals of software security to be able to avoid costly mistakes. This typically goes beyond the basic requirements and it is recommended that developers continuously invest time in learning software security and reliability.

Secure development in ISO27001

Objective A.14.2 specifically calls for security in development processes. It starts with establishing a secure development policy that applies to the Secure Development Lifecycle (SCLC). Objective A.14.2.3. in particular demands testing and reviewing of each application. Objective A.14.2.5 requires secure system engineering principles to be implemented for any information system. When vulnerabilities are discovered, there should be a technical vulnerability management process (A.12.6) to prevent the exploitation of these vulnerabilities. Without proper secure coding training the developers at the organization might not be prepared to remediate these vulnerabilities, or the vulnerability management might become too costly for the company.

Access control

In any information system, access control is one of the cornerstones of operation. Implementing proper access control to information assets requires knowledge of security techniques and security features available in common programming frameworks. These frameworks often already have access control mechanisms in place that developers are not aware of. Developers need to work on implementing proper identity management and authorization to minimize access to critical information. Quite often, whether out of convenience or ease-of-implementation, developers grant access to assets far beyond the necessary use.

One such asset could be the software source code or documentation, and developers need to ensure that users with unauthorized access cannot break into and compromise critical information.

With the advent of GDPR, CCPA, and similar privacy protocols, the importance of personally identifiable information (PII) has become critical. This is expressed in A.18.1.4 that mandates the protection of private data. Using risk management thinking, developers need to ensure that PII is accessed, handled, and stored properly. This is especially true considering most software components are now using cloud resources, where the security responsibilities have become blurry for developers.

Proper use of cryptography

According to ISO27001 Objective A.10, developers need to implement appropriate cryptographic controls for protecting key information assets. This includes the implementation of correct key management. Again, note that it is a mistake to reinvent the wheel and try to figure out new crypto protocols. Most of the frameworks have appropriate, battle-tested crypto libraries that developers can use. The goal is to define guardrails and best practices on how to use these tools.

Outdated controls: a cautionary note

Security decision makers and developers need to understand that the latest ISO27001 standard dates back to 2013. Since then, many of the controls have become less important. One good example is the strict controls around network and perimeter security that are difficult to enforce. With the ubiquitous use of cloud resources, it is difficult to implement segregation of networks. Instead, one has to assume that the attackers have access to the network resources and engineers need to protect them with appropriate security controls.

ISO 27001 compliance relies on people

IT management relies on People, Processes and Technology. IT security maturity and risk management can be demonstrated by properly implementing the ISO 27001 framework. In this blog, we highlighted a few key recommendations and controls regarding ISO 27001. But the successful implementation of such a framework ultimately depends on the workforce of the company. More specifically, it depends on the security skills of developers. Avatao teaches developers the necessary security skills to build secure software.