Secure System Build Tools Implementation
Use security features in compilers and build tools to secure your software's executable files.
Plain language
This control is about using the security features in the tools that help create software, like compilers and build systems, to make sure the software is safe to use. It matters because if these features aren't used, it could lead to software that's vulnerable to hackers, causing data breaches or system failures that could damage a business's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Build SolutionOfficial control statement
Compilers, interpreters and build tools (including pipelines) that provide security features to improve executable file security are implemented and such security features are used.
Why it matters
If build tools' security features are neglected, resulting software may harbour exploitable vulnerabilities, risking data loss and financial harm.
Operational notes
Verify build scripts enable hardening flags (e.g., ASLR/DEP, stack protections) and routinely review pipeline logs to confirm these features are applied.
Implementation tips
- The IT team should review the software development build tools currently in use. They need to check if these tools have security features that can protect the software during the build process. Specific actions include researching documentation for any security options and settings in the compiler and enabling these features for active projects.
- Software developers should regularly update their build tools and compilers. By staying up to date, they ensure all recent security features and patches are included. This involves setting reminders for updates and subscribing to software announcements from the tools' providers to not miss important updates.
- Managers overseeing software development projects should ensure that developers are aware of security features. This could be done by organising training sessions or workshops about using security features within development tools effectively. Include practical examples specific to their ongoing projects to enhance understanding.
- System owners should collaborate with the IT security team to conduct regular security audits of the software build process. Schedule periodic checks where the build configuration is reviewed to make sure security features are enabled and functioning as expected. Document the findings and actions taken for future reference.
- Procurement teams should include security feature checks as a criterion when purchasing new build tools. This means ensuring that any new tools have robust security capabilities and are capable of integrating with existing security measures. Engage with vendors to provide demonstrations or trial versions to evaluate the security features before purchase.
Audit / evidence tips
-
Askthe list of software tools used in development projects: Request documentation that details all compilers and build tools in use
Goodwill show tools with security features enabled and updated versions documented
-
Asktraining records or materials: Request records or materials from developer training sessions focused on security features
Goodincludes a recent session with practical, tool-specific security training documented
-
Askto see recent software build configuration files: Request access to the build configuration that developers use
Goodwill show that security options like code signing or encryption are turned on
-
Aska recent internal audit report on build processes: Request a copy of any recent security review of the build process
Goodwill be a detailed report with identified issues and remedial actions completed
-
Askprocurement documentation: Request any recent requests for proposal (RFPs) or purchase records
Goodincludes clear references to security as a requirement in the selection process
Cross-framework mappings
How ISM-2031 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.27 | ISM-2031 requires organisations to implement secure build tools and ensure their security features are used to harden executables | |
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.29 | ISM-2031 requires organisations to use security features in compilers, interpreters and build pipelines to improve executable file security | |
| Annex A 8.30 | ISM-2031 requires organisations to implement and use security features in compilers, interpreters and build pipelines to improve executab... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.9 | ISM-2031 requires organisations to configure compilers, interpreters and build pipelines to use security features that improve executable... | |
| Annex A 8.28 | ISM-2031 requires organisations to implement and use build-tool security features (e.g | |
| link Related (1) expand_less | ||
| Annex A 8.25 | Annex A 8.25 requires organisations to establish and apply rules across a secure development lifecycle for software and systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.