Software, by Jayden

Industry frameworks

Nov 13, 20252 min read

Backlinks

xTo standardize and address such issues, we use industry frameworks to outline a set of best practices, standards and guidelines.

Industry frameworks ensure:

  • security
  • compliance with laws and policies
  • efficiency and maintainability

In Australia, 2 key cybersecurity frameworks are used:

  • Essential Eight
  • Information Security Manual (ISM)

Essential Eight

The Essential Eight is a set of baseline cyber security strategies designed for large companies to deter cybersecurity attacks.

1. Application control

Prevents unapproved or malicious software from executing. Helps stop malware, ransomware and unauthorised applications.

2. Patch applications

Patches that fix security vulnerabilities in software. Prevents attackers from exploiting flaws.

3. Restrict Microsoft Office macro

Limits potentially dangerous Microsoft Office macro settings that can carry malware.

4. User application hardening

Disables unnecessary features in applications, such as browsers or PDF viewers which may potentially provide flaws to be exploited.

5. Restrict administrative privileges

Proper control of access and authorization so that only proper users get admin rights will reduce the risk of internal exploitation.

6. Patch operating systems

Maintain and update operating systems to prevent security vulnerabilities from being exploited.

7. Multi-factor authentication (MFA)

Layers of authentication will help prevent the risk of stolen user accounts, relying on multiple layers of protection such as passwords, biometrics, passkeys and other factors to unlock secured data.

8. Regular backups

Ensures data can be restored after incidents such as ransomware or system failure.

Information Security Manual (ISM)

The ISM is the Australian Government’s primary network for cybersecurity.

Guideline 1: development, testing and production environments

  • Separation of environments: development, testing and production systems should be separated.
  • Access controls: each environment’s access should always be limited.
  • Data handling: don’t use real production data during testing.
  • Monitoring: access should be logged.

Guideline 2: secure software design and development

  • Secure coding standards: using proper frameworks and standards, proper validation techniques.
  • Threat modelling: developers should think about how to exploit their own design and build around that.
  • Code reviews: developers should collaboratively check each other’s code to catch issues, including security issues.
  • Training: developers should be trained in cybersecurity and educated about threats.

Guideline 3: application security testing

  • Static analysis (SAST): test source code without running the program to find vulnerabilities.
  • Dynamic analysis (DAST): test the source code by running it to find vulnerabilities.
  • Penetration testing: simulate cyber attacks to find vulnerabilities.
  • Remediation and retesting: fix issues and vulnerabilities.