A.8.28 Secure Coding

What is A.8.28 Secure Coding?

ISO 27001 control A.8.28 Secure Coding ensures that secure coding principles are applied to software development to reduce vulnerabilities in developed applications. The control establishes secure coding standards covering input validation, output encoding, authentication and session management, access control, cryptographic practices, error handling, and logging aligned with OWASP guidelines and enforced through code review and automated scanning.

How to implement A.8.28 in Microsoft 365

Implement A.8.28 by establishing Secure Coding Standards document

Implement A.8.28 by establishing Secure Coding Standards document covering Input Validation for all external inputs, Output Encoding preventing XSS, Authentication via Entra ID libraries not custom, Session Management using platform defaults, Access Control via RBAC, Cryptography using platform APIs not custom, Error Handling with no sensitive data exposure, and Logging for security events. Require code review verifying secure coding compliance.

Deploy Microsoft Defender for DevOps SAST scanning detecting

Deploy Microsoft Defender for DevOps SAST scanning detecting coding violations. Provide secure coding training to developers via A.6.3.

Document exceptions with risk acceptance

Document exceptions with risk acceptance.

What an auditor checks for A.8.28

• Auditors will verify Secure Coding Standards document exists covering OWASP guidelines.
• They will check code review process includes secure coding verification.
• Auditors will verify Defender for DevOps SAST scanning detects coding violations in PRs.
• They will check developer training records include secure coding modules.
• Auditors will verify exceptions to secure coding standards have documented risk acceptance.
• They will check SAST scan results show trending improvement in secure coding compliance.

Related controls

• A.8.25
• A.8.26