Skip to content

Secure Coding Policy

Publication Summary

Title Secure Coding Policy
Author(s) Alessandro Cardinali
Issued by CEO

Version doc.

Review freq.

0.1

Yearly
Date of issue December 11, 2023
Owner Alessandro Cardinali
Document status Draft – Final Draft - Final
Approval Date n/a
Classification Internal

Change Log

Version Date Author Comments
0.1 December 11, 2023 First draft document
1.0 December 20, 2023

Contents

1 Introduction [8](#introduction)

2 Secure coding policy [9](#secure-coding-policy)

Introduction

Developing bespoke software provides a level of flexibility and functionality that is not always possible to reproduce using commercial off the shelf systems. [Organization Name] dedicates a significant amount of its resources to designing, coding, testing, releasing and maintaining its software according to industry best practice standards. As part of this, we have a responsibility to ensure that the computer code we produce is as secure as it reasonably can be. Insecure software allows vulnerabilities to be found which can provide a way in for malicious actors and requires our time to create and distribute patches.

In order to write software that minimises such vulnerabilities, there are a number of guiding principles that must be followed, in addition to the more detailed programming techniques that apply with specific languages. This policy defines these high-level principles as a starting point for the definition of lower-level procedures for the creation of secure code, as part of an effective, managed approach.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

  • Secure Development Environment Guidelines

  • Secure Development Policy

  • Principles for Engineering Secure Systems

Secure coding policy

It is the policy of [Organization Name] to write software in such a way that the number of potential vulnerabilities in the code is minimised.

Secure coding within [Organization Name] will be based on the principles established by best practice organizations including (but not limited to) the following:

  • OWASP (The Open Web Application Security Project®)

  • SEI CERT (Software Engineering Institute Computer Emergency Response Team)

  • UK NCSC (National Cyber Security Centre)

  • USA NIST (National Institute of Standards and Technology)

  • [Add further sources of best practice as applicable]

Secure coding practices in use within the organization will cover as a minimum the following topics (based on OWASP Secure Coding Practices V2.0):

  • Input validation

  • Output encoding

  • Authentication and password management

  • Session management

  • Access control

  • Cryptographic practices

  • Error handling and logging

  • Data protection

  • Communication security

  • System configuration

  • Database security

  • File management

  • Memory management

  • General coding practices

These general principles will be supplemented by technology-specific advice and guidance produced by the vendors of the technology in use, and third parties with particular expertise in them.

Secure coding practices will be established and documented for each development project, and will be communicated to third parties that create software on [Organization Name]’s behalf. Account will be taken of available threat intelligence and existing known vulnerabilities when defining these practices.

Good practice in writing code will be followed at all times including, where appropriate:

  • The use of structured programming techniques

  • Clear documentation and commenting of code

  • Consistent naming of items such as classes, methods and variables

  • Avoiding hard coding of credentials

  • Correct handling of errors

Appropriate software testing will be carried out to confirm that the documented coding techniques have been properly implemented prior to the release of the software to production.

Where possible, the use of secure coding techniques will be mandated via settings and automation within development tools, such as integrated development environments (IDE).

External software libraries used as part of the development process must be examined to assess them against the secure coding practices adopted for the relevant project.

A process must be in place for the management of vulnerabilities discovered after the release of the software into production.

Software fixes and updates must be subject to the same secure coding practices as the original development.