Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.
To ensure secure software development, implement robust coding practices that minimize vulnerabilities and maintain code quality. These include input/output validation, avoiding unsafe functions, and implementing proper error handling. Leverage tools and environments that encourage secure coding through automation, such as linters, formatters, and just-in-time training features. When automated methods are insufficient, follow manual compliance procedures. Regularly check for vulnerabilities specific to development languages and environments, and require developers to review their code alongside formal code reviews by others.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-11-01-01 | Validate and secure inputs/outputs | Implement robust input validation to prevent injection attacks and ensure all outputs are properly encoded to mitigate vulnerabilities such as cross-site scripting (XSS). | Development | Developers |
| SSS-02-01-11-01-02 | Utilize secure coding tools and standards | Use tools like linters and formatters to enforce coding standards, and configure development environments to provide just-in-time secure coding training. Ensure consistent application of secure coding principles. | Development | DevOps Teams |
| SSS-02-01-11-01-03 | Implement error handling and logging | Detect errors and handle them gracefully to avoid exposing sensitive information. Incorporate logging and tracing capabilities to track issues and support debugging without compromising application security. | Development | Developers |
| SSS-02-01-11-01-04 | Perform manual and automated code reviews | Use automated tools to detect common vulnerabilities and require developers to conduct self-reviews of their human-readable code. Complement this with peer or tool-assisted code reviews to ensure comprehensive compliance with secure coding standards. | Deployment | Quality Assurance Teams |
| SSS-02-01-11-01-05 | Check for language-specific vulnerabilities | Regularly analyze the source code for vulnerabilities specific to the programming languages and development environments in use. Update practices as new threats emerge and ensure all findings are addressed before deployment. | Post-deployment | Security Analysts |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.5.1) SSDF (PW.5.1: Follow all secure coding practices- Example) |