The ISO 27001/27002 Standards Navigate the Complex Landscape of Third-Party Code Security.
In the intricate web of modern software development, the majority of application code isn't crafted in-house. Instead, organisations rely on open-source libraries, third-party code, and outsourced development, posing significant challenges for cybersecurity. The ISO 27001/27002 information security and privacy standards emerge as guiding lights, mandating organisations to establish secure coding responsibilities with outsourcing suppliers.
The Unseen Web of Code Ownership
As businesses navigate the digital landscape, it's crucial to recognise that not all code is proprietary. The intricate fabric of application code comprises a blend of open-source, third-party libraries, and outsourced code, alongside in-house development. However, in the event of a data breach, customers remain indifferent to the origins of compromised software, placing the onus on the organisation to rectify the situation.
ISO Standards: Safeguarding in a Collaborative Realm
Acknowledging the collaborative nature of modern software, the updated ISO 27001/27002 standards highlight the need for organisations to address security risks associated with products and services provided by external entities. Released in October 2022, these standards offer guiding principles to fortify security for outsourced and third-party code, as well as cloud services.
Ensuring Security for Third-Party Software
While leveraging third-party libraries for routine tasks brings efficiency, it also introduces vulnerabilities. ISO recommends vigilant monitoring for vulnerabilities and swift application of patches and updates. Yet, organisations must go beyond acceptance and conduct security testing. For libraries accessed through APIs, where source code is unavailable, automated Dynamic Application Security Testing (DAST) and manual penetration testing become imperative.
ISO 27002: Safeguarding Outsourced Code
Outsourcing development presents a myriad of advantages, but it also carries security risks. ISO 27002 establishes a set of requirements for all stages of outsourced development. The process begins with thorough research of the outsourcing supplier, scrutinising reputation, documentation, and certifications, with a special emphasis on security practices. Negotiating a robust contract follows, delineating responsibilities, non-disclosure agreements, ownership of code, and intellectual property.
Access control is paramount during development, dictating secure procedures for code delivery. At contract termination, stringent measures include revoking access rights, ensuring data destruction, and the return of assets. Security testing remains an ongoing commitment, combining Static Application Security Testing (SAST) during development and DAST after deployment.
Cloud Services: A Special Agreement
For cloud infrastructure, ISO 27002 necessitates a unique agreement with cloud service providers. This agreement mandates the use of industry-standard architecture, secure access controls, and vigilant handling of sensitive data. Provider obligations extend to intrusion monitoring, malware detection, and dedicated support in case of a breach. Contractual terms must be applied to subcontractors, and data must be returned and properly removed from systems at contract termination.
The Organisational Responsibility
In the realm of cybersecurity, organisations bear the ultimate responsibility for data confidentiality, integrity, and availability. Whether software originates in-house, from a cloud provider, or an outsourced supplier, security testing, encompassing SAST and DAST, emerges as the linchpin. In securing the digital domain, ISO standards and robust testing ensure organisations navigate the complex landscape of third-party code with resilience and compliance.
A message from our sponsors, The Ideas Distillery:
If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Comments