System Guides

A.8.28 Secure Coding would include:

1. Secure Coding Policy: Documentation of a formal policy or guideline that outlines secure coding practices to be followed by developers during the software development process.

2. Secure Coding Training: Evidence that developers have received training on secure coding practices, including the topics covered, training materials, and attendance records.

3. Code Review Reports: Reports from code reviews conducted by qualified security experts to assess the security of the application's source code and identify potential security flaws.

4. Code Analysis Tools: Information on the use of automated code analysis tools to identify security vulnerabilities and coding errors in the application code.

5. Code Samples: Samples of code demonstrating the implementation of secure coding practices, such as input validation, output encoding, and protection against common security issues (e.g., SQL injection, cross-site scripting).

6. Security Frameworks: Documentation showing the use of secure coding frameworks or libraries that offer security controls to assist developers in building secure applications.

7. Secure Development Guidelines: Evidence of the integration of secure coding guidelines into the software development process and the measures taken to ensure adherence to these guidelines.

8. Developer Responsibilities: Information on how developers are held accountable for following secure coding practices, such as code reviews, peer assessments, or other quality control mechanisms.

9. Security Bug Tracking: Evidence of a process to track and manage security-related bugs and issues discovered during the development process and their resolution.

10. Incident Response: Documentation of procedures to handle and respond to security incidents related to coding vulnerabilities discovered during development.

11. Continuous Improvement: Evidence of continuous efforts to improve secure coding practices based on lessons learned from previous security assessments or incidents.

12. Compliance with Standards: Verification that the organization's coding practices align with relevant security standards, such as the OWASP Top Ten or other industry best practices.

By reviewing these pieces of evidence, you can assess the organization's commitment to implementing secure coding practices and evaluate the level of security awareness among developers. The goal is to ensure that the application code is developed with security in mind, minimizing the risk of introducing security vulnerabilities that could be exploited by attackers.