ISO27001A.8.28voice-validated

ISO27001 A.8.28: A.8.28

ISO/IEC 27001:2022 Information Security Management

Founder at SQUR · last verified 2026-06-19

Regulation text

Secure coding principles shall be applied to software development. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.28.)

ATT&CK techniques this article tests · 15

Technique	Why it maps	Confidence
	1. This control directly addresses vulnerabilities in public-facing applications. Secure coding principles reduce the attack surface for techniques like 'Exploit Public-Facing Application' (A.8.28).	90%
	1. Insecure coding can expose external remote services to unauthorized access. Applying secure coding principles strengthens these services against exploitation (A.8.28).	80%
	1. Secure coding prevents command injection vulnerabilities. This directly mitigates an adversary's ability to execute arbitrary commands via 'Command and Scripting Interpreter' (A.8.28).	85%
	1. Insecure software development can allow attackers to establish persistence by modifying autostart mechanisms. Secure coding prevents such modifications (A.8.28).	70%
	1. Secure coding principles are fundamental to preventing vulnerabilities that enable 'Exploitation for Privilege Escalation'. This control directly addresses the root cause (A.8.28).	95%
	1. Insecure code can contain flaws allowing attackers to bypass user account control mechanisms. Secure coding prevents these vulnerabilities (A.8.28).	75%
	1. While not direct, secure coding practices can make it harder for attackers to embed obfuscated code or information within legitimate applications, aiding defense evasion (A.8.28).	60%
	1. Secure coding prevents vulnerabilities that could allow unauthorized file deletion, a common defense evasion tactic. This protects system integrity (A.8.28).	65%
	1. Secure coding prevents hardcoded credentials or insecure storage of credentials within applications. This directly mitigates 'OS Credential Dumping' (A.8.28).	90%
	1. Preventing memory corruption vulnerabilities through secure coding reduces the attack surface for techniques like 'OS Credential Dumping: LSASS Memory' (A.8.28).	85%
	1. Secure coding prevents directory traversal and other information disclosure vulnerabilities. This limits an attacker's ability to perform 'File and Directory Discovery' (A.8.28).	70%
	1. Insecure code in network services can lead to compromise, enabling 'Remote Services: Remote Desktop Protocol' for lateral movement. Secure coding reduces this risk (A.8.28).	70%
	1. Secure coding prevents unauthorized access to local system data. This directly mitigates 'Data from Local System' collection by adversaries (A.8.28).	80%
	1. Insecure web applications can be exploited to establish 'Application Layer Protocol: Web Protocols' for command and control. Secure coding reduces this attack vector (A.8.28).	75%
	1. Secure coding practices prevent vulnerabilities that could allow attackers to corrupt or delete system recovery mechanisms, thereby inhibiting system recovery (A.8.28).	70%

Defending mitigations · 6

Mitigation	What it does	Confidence
M1032	1. Secure coding reduces the likelihood of vulnerabilities that could be exploited by non-privileged accounts, thereby supporting the effectiveness of 'Standard User Account' principles (A.8.28).	80%
M1038	1. Secure coding practices prevent flaws that allow attackers to bypass or abuse 'User Account Control' mechanisms, enhancing system integrity (A.8.28).	85%
M1040	1. Applying secure coding principles directly reduces the number of exploitable vulnerabilities. This strengthens 'Exploit Protection' by removing attack vectors (A.8.28).	90%
M1049	1. While not direct, secure coding reduces the likelihood of introducing malicious code or backdoors that 'Antivirus/Antimalware' solutions would need to detect (A.8.28).	70%
M1050	1. Secure coding principles are a proactive measure to prevent vulnerabilities. This complements 'Vulnerability Scanning' by reducing the number of flaws to be found (A.8.28).	95%
M1051	1. Secure coding ensures the integrity of the developed software. 'Code Signing' then verifies this integrity, preventing tampering after development (A.8.28).	75%

Underlying weaknesses · 7

CWE	Why it persists	Confidence
CWE-79	1. Secure coding principles directly address the prevention of 'Improper Neutralization of Input During Web Page Generation' (Cross-site Scripting) vulnerabilities (A.8.28).	95%
CWE-89	1. This control mandates secure coding to prevent 'Improper Neutralization of Special Elements used in an SQL Command' (SQL Injection) vulnerabilities (A.8.28).	95%
CWE-78	1. Secure coding practices are essential to prevent 'Improper Neutralization of Special Elements used in an OS Command' (OS Command Injection) (A.8.28).	90%
CWE-20	1. The application of secure coding principles directly addresses 'Improper Input Validation', a root cause of many software vulnerabilities (A.8.28).	90%
CWE-22	1. Secure coding prevents 'Improper Limitation of a Pathname to a Restricted Directory' (Path Traversal) by enforcing proper file access controls (A.8.28).	85%
CWE-434	1. Secure coding principles include validation of file types and content, preventing 'Unrestricted Upload of File with Dangerous Type' (A.8.28).	80%
CWE-502	1. Secure coding practices mitigate the risk of 'Deserialization of Untrusted Data' by ensuring proper handling and validation of serialized objects (A.8.28).	80%

What SQUR Covers

Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.

What SQUR Does Not Cover

Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.

Provenance

Mapped Q2.2026 using gemini-2.5-flash · €0.0197 compute · voice-rubric self-validated