Back

Conduct secure coding and development training for developers.


CONTROL ID
06822
CONTROL TYPE
Behavior
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to provide in-house and outside education to personnel (including outsourcee's staff) who are involved in the development, operation, or use of computer systems, taking into account their job descriptions, assigned duties, years of experience, and so on. (C15.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should ensure its software developers are trained or have the necessary knowledge and skills to apply the secure coding and application security standards when developing applications. (§ 6.1.5, Technology Risk Management Guidelines, January 2021)
  • Complete core security training. (§ 1.1, Microsoft Simplified Implementation of the Security Development Lifecycle (SDL), 1.0)
  • Examine the software development policies and procedures to verify developers are required to receive training in secure coding techniques. (Testing Procedures § 6.5.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Developers must be trained in secure coding techniques, including how to avoid common coding vulnerabilities and how sensitive data is handled in memory. (PCI DSS Requirements § 6.5 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Address common coding vulnerabilities in software-development processes as follows: - Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - Develop applications based on secure coding guideline… (6.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Address common coding vulnerabilities in software-development processes as follows: - Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. - Develop applications based on secure coding guidelines. (6.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Address common coding vulnerabilities in software-development processes as follows: - Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. - Develop applications based on secure coding guidelines. (6.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? (6.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? (6.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? (6.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? (6.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? (6.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine software-development policies and procedures to verify that up-to-date training in secure coding techniques is required for developers at least annually, based on industry best practices and guidance. (6.5.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine records of training to verify that software developers receive up-to-date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities. (6.5.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: (6.2.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • On software security relevant to their job function and development languages. (6.2.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. (6.2.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Including secure software design and secure coding techniques. (6.2.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine software development procedures to verify that processes are defined for training of software development personnel developing bespoke and custom software that includes all elements specified in this requirement. (6.2.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine training records and interview personnel to verify that software development personnel working on bespoke and custom software received software security training that is relevant to their job function and development languages in accordance with all elements specified in this requirement. (6.2.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? (PCI DSS Question 6.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are developers trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory? (PCI DSS Question 6.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: (6.2.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • On software security relevant to their job function and development languages. (6.2.2 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including secure software design and secure coding techniques. (6.2.2 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. (6.2.2 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: (6.2.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • On software security relevant to their job function and development languages. (6.2.2 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including secure software design and secure coding techniques. (6.2.2 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. (6.2.2 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: (6.2.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • On software security relevant to their job function and development languages. (6.2.2 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including secure software design and secure coding techniques. (6.2.2 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. (6.2.2 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • On software security relevant to their job function and development languages. (6.2.2 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. (6.2.2 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Including secure software design and secure coding techniques. (6.2.2 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: (6.2.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to design systems and develop security controls in a disciplined manner (e.g., using an approved systems development lifecycle). (CF.02.04.05a, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to implement Information Security controls effectively. (CF.02.04.05b, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to configure and maintain computer installations, storage systems, and networks correctly. (CF.02.04.05c, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to apply required security controls effectively (e.g., preventing unauthorized or incorrect updates). (CF.02.04.05d, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to design systems and develop security controls in a disciplined manner (e.g., using an approved systems development lifecycle). (CF.02.04.05a, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to implement Information Security controls effectively. (CF.02.04.05b, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to configure and maintain computer installations, storage systems, and networks correctly. (CF.02.04.05c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide Information Technology and systems development staff with the skills they need to write and review secure application source code. (CF.02.04.05d, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide Information Technology development staff and systems development staff with the skills they need to apply required security controls effectively (e.g., preventing unauthorized or incorrect updates). (CF.02.04.05e, The Standard of Good Practice for Information Security, 2013)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment. (Control 18.8, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. (CIS Control 18: Sub-Control 18.6 Ensure Software Development Personnel are Trained in Secure Coding, CIS Controls, 7.1)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. (CIS Control 18: Sub-Control 18.6 Ensure Software Development Personnel are Trained in Secure Coding, CIS Controls, V7)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way… (CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding, CIS Controls, V8)
  • Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and up… (CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process, CIS Controls, V8)
  • This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. (M1013 Application Developer Guidance, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The use of containers shifts much of the responsibility for security to developers, so organizations should ensure their developers have all the information, skills, and tools they need to make sound decisions. Also, security teams should be enabled to actively enforce quality throughout the develop… (7 ¶ 5, NIST SP 800-190, Application Container Security Guide)
  • Implement Roles and Responsibilities (PO.2): Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC. (PO.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed. (PO.2.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)