Ensure Secure Programming Practices in Software Development
Develop software using secure programming methods tailored to the chosen language to prevent vulnerabilities.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for software developmentSecure programming practices for the chosen programming language are used for software development.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about using safe and secure methods when building software, tailored to the specific programming language being used. It matters because if software is not developed securely, it can have weaknesses that hackers might exploit, putting data, finances, and reputations at risk.
Why it matters
Failure to apply secure programming practices can introduce vulnerabilities (e.g., injection, auth flaws), enabling compromise, data leakage, and service disruption.
Operational notes
Maintain language-specific secure coding standards and enforce them via peer reviews, SAST in CI/CD, dependency checks, and periodic developer secure-coding training.
Implementation tips
- Identify key developers: The manager should identify and empower the key developers responsible for coding projects. Ensure they have the necessary training or resources to learn secure programming practices specific to the languages they use.
- Integrate security into code reviews: Team leaders should include security checks as a part of the regular code review process. Ensure that every piece of code is not just checked for bugs but also for security vulnerabilities.
- Set up developer guidelines: The IT team should develop and circulate clear, practical guidelines for secure coding. These should be easy to follow and aligned with recognised standards like those from the Australian Cyber Security Centre (ACSC).
- Use automated tools: The IT team should implement tools that automatically check code for vulnerabilities as it's written. These tools can catch issues early, providing real-time feedback to developers.
- Organise regular training: Management should arrange for ongoing training in secure coding tactics. Keep these sessions interactive and include recent examples of security failures and how they could have been prevented.
Audit / evidence tips
-
Ask: a list of secure coding guidelines: Ensure these documents outline procedures for secure programming practices in the languages used
Good: guidelines explicitly tailored to the specific languages and frameworks in use
-
Good: each review session contains documented consideration of security vulnerabilities
-
Ask: the records of security training sessions attended by developers
Good: regular sessions with high developer participation and updated content about current threats
-
Good: tools are active, producing reports, and there's evidence of follow-up on identified issues
-
Ask: how developers are encouraged to share experiences and lessons learnt from applying secure coding practices
Good: regular feedback loops that help to continuously improve secure coding practices
Cross-framework mappings
How ISM-2040 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.25 | ISM-2040 requires developers to use secure programming practices for the chosen language as part of building software securely | |
| Supports (1) | ||
| Annex A 8.29 | ISM-2040 requires the use of secure programming practices to reduce the introduction of vulnerabilities during implementation | |
| Related (1) | ||
| Annex A 8.28 | Annex A 8.28 requires organisations to apply secure coding principles during software development to prevent vulnerabilities | |