ISO 27001 Software Development Lifecycle Vulnerabilities Checklist

Download Free ISO27001/ISO17799 Software Development Lifecycle Vulnerabilities Checklist

Controls over data handling.
Are inventories kept up-to-date? Is there an inventory for physical media, especially those that may contain sensitive corporate data? Can an authorized user simply put a diskette in his or her pocket and walk out of the building? How is paper eliminated from the office space? Are shredders used to make removal of sensitive documents from trash cans more difficult?

Weak or missing physical controls.
Are key elements of a network located in a shared location? In many cases, the security of a system may be bypassed by simply booting the system from a floppy diskette. Does the organization require employee identification badges to be worn? More importantly, if employees notice someone walking around the building without a badge, are they trained to question the person or bring his or her presence to someone's attention? These are just a few questions that address physical security concerns that can affect the security of a computer system if left unchecked.

Inadequate procedural controls.
Clear, concise, written procedures can help to eliminate confusion over specific processes and to ensure that management security objectives are implemented. They can also help to fill voids when trained personnel leave the company or move to other positions. The problem is that many people do not like to write down procedures, and many descriptions are written without the procedures being fully implemented.

Poor programming practices.
For years the practice of writing backdoors into software programs to enable programmers to enter and fix problems later has been followed. This practice creates two major problems. First, programmers sometimes forget to remove these backdoors prior to code being shipped. Second, backdoors are an avenue that many would-be attackers search for and like to use to gain unauthorized access to systems. Software programs need to be written with security as part of the foundation, which includes the use of sound programming practices.

Operating system weaknesses.
The biggest security challenge for most system administrators is keeping up with the latest patches for operating systems. This is a real challenge for software vendors as well, because resource-sharing functions typically contradict the security requirements. Therefore, a tradeoff is typically made to try and balance the two. Operating systems need to be hardened before being placed on production systems. Once they become operational, system administrators need to remain vigilant, watching for new vulnerabilities and patches as they may be discovered. Teamwork between system administrators, the security community, and vendors is the best way to guard against operating system weaknesses.