In 2017, the Australian Cyber Security Centre (ACSC), a division of the Australian Signals Directorate (ASD), released the Information Security Manual (ISM). This comprehensive guide offers practical advice on safeguarding systems and data.
The recent update, which provides specific guidance on secure software development, is of particular relevance to software developers. The ISM's Guidelines for Software Development are designed to assist developers in creating software that minimizes vulnerabilities and defends against potential cyber threats.
The ISM controls that make up the guidelines focus on six key areas applicable to traditional and mobile application development:
-
Development, testing, and production environments
-
Secure software design and development
-
Software bill of materials (SBOM)
-
Application security testing
-
Vulnerability disclosure program
-
Reporting and resolving vulnerabilities
ISM is part of a larger global movement to secure the software supply chain in the wake of several high-profile and serious attacks, including the SolarWinds attack in 2020 and the Log4Shell vulnerability in 2021. The United Kingdom, the European Union, and the United States all have unique requirements when it comes to cybersecurity mitigation, and you can learn more about global initiatives at Sonatype's Regulation and Compliance Resource Center.
Organizations are not yet required by law to comply with ISM, but it provides very effective and practical guidance for companies to observe in order to be confident that they aren't in violation of existing legislation and defend against constant threats.
In order to help Australians make sense of the ISM's various controls and how they can be applied, we've developed an ISM User's Guide to Compliance. This document outlines each of the control's detailed in the Guidelines for Software Development and how Sonatype capabilities can help navigate their implementation.
Editor's note: Kenneth Jeffery served as co-author in creating this blog post.
