Ensure Secure Programming Practices in Software Development
Develop software using secure programming methods tailored to the chosen language to prevent vulnerabilities.
Plain language
This control is about using safe and secure methods when building software, tailored to the specific programming language being used. It matters because if software is not developed securely, it can have weaknesses that hackers might exploit, putting data, finances, and reputations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Secure programming practices for the chosen programming language are used for software development.
Why it matters
Failure to apply secure programming practices can introduce vulnerabilities (e.g., injection, auth flaws), enabling compromise, data leakage, and service disruption.
Operational notes
Maintain language-specific secure coding standards and enforce them via peer reviews, SAST in CI/CD, dependency checks, and periodic developer secure-coding training.
Implementation tips
- Identify key developers: The manager should identify and empower the key developers responsible for coding projects. Ensure they have the necessary training or resources to learn secure programming practices specific to the languages they use.
- Integrate security into code reviews: Team leaders should include security checks as a part of the regular code review process. Ensure that every piece of code is not just checked for bugs but also for security vulnerabilities.
- Set up developer guidelines: The IT team should develop and circulate clear, practical guidelines for secure coding. These should be easy to follow and aligned with recognised standards like those from the Australian Cyber Security Centre (ACSC).
- Use automated tools: The IT team should implement tools that automatically check code for vulnerabilities as it's written. These tools can catch issues early, providing real-time feedback to developers.
- Organise regular training: Management should arrange for ongoing training in secure coding tactics. Keep these sessions interactive and include recent examples of security failures and how they could have been prevented.
Audit / evidence tips
- AskA list of secure coding guidelines: Ensure these documents outline procedures for secure programming practices in the languages used GoodGuidelines explicitly tailored to the specific languages and frameworks in use
- GoodEach review session contains documented consideration of security vulnerabilities
- AskThe records of security training sessions attended by developers GoodRegular sessions with high developer participation and updated content about current threats
- GoodTools are active, producing reports, and there's evidence of follow-up on identified issues
- AskHow developers are encouraged to share experiences and lessons learnt from applying secure coding practices GoodRegular feedback loops that help to continuously improve secure coding practices
Cross-framework mappings
How ISM-2040 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.25 | ISM-2040 requires developers to use secure programming practices for the chosen language as part of building software securely | |
| handshake Supports (1) expand_less | ||
| Annex A 8.29 | ISM-2040 requires the use of secure programming practices to reduce the introduction of vulnerabilities during implementation | |
| link Related (1) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires secure coding principles to be applied to software development | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.