# 3.4 Information Security Assurance
The cybersecurity environment has continuously worsened over the last decade, and will continue to deteriorate into the foreseeable future. While strong infosec capabilities are necessary for a company’s survival, teams that integrate superior infosec capabilities into their development process will have a key competitive advantage over their industry peers.
# 3.4.1 Secure Design Principles
Level: Basic
Your team consistently assesses a product’s security needs at the start of the design phase, and translates those needs into design decisions that will mitigate the identified threats.
A “Secure by Design” approach integrates security into the product design process, reducing long-term security costs by making the product intrinsically secure and ensuring that any unavoidable security issues are recognized early. If multiple teams are working on a single product, inter-team collaboration will be necessary to ensure that all aspects of the product are properly secured.
# 3.4.2 Secure Coding Principles
Level: Basic
Your team understands, and consistently follows, secure coding principles. These principles are formalized by the team via agreed standards and specific security goals.
The use of secure coding principles is vital to ensure that the software your team designs is secure; frameworks such as OWASP offer structured guides for how to follow secure coding guidelines. Any adopted framework or methodology should include regular reviews to ensure the team adheres consistently to those practices.
# 3.4.3 Secure Development Lifecycle
Level: Basic
Your team performs security assurance at every step of the software development process, and receives the support and resources it needs to ensure new features and updates can be implemented securely.
Security should be embedded into team workflows throughout the entirety of the development process, from planning to design, coding, release, and maintenance/ops. If multiple teams are working on a single project, inter-team collaboration will be necessary to ensure that all aspects of the product are properly secured.
# 3.4.4 Automated Security Assessment
Level: Intermediate
Your team regularly ensures the security of its work via the use of automated security testing routines and services, including the use of third party tools and assessments.
Automated security evaluations complement manual security assessments and reduce the mean time to detect a flaw, threat, or compromise. A team’s automated toolkit should generally include both internally developed tools/processes and third-party services.
# 3.4.5 Industry-Specific Security Practices
Level: Intermediate
Your team understands how much security risk is considered acceptable within the industry your product is designed for, and your product’s current level of risk meets that standard.
The definition of “acceptable risk” varies by industry, which means product development decisions must be tailored to the standards of the industry the product is designed for. To avoid inadvertent breaches of these standards, it’s important that all team members have a strong understanding of the security and compliance obligations they need to adhere to.
# 3.4.6 Third-Party Security Risk Control
Level: Advanced
Your team uses a security risk evaluation process to ensure that any third-party services it adopts will not expose your product or service to excessive security risks, either during development or in production.
If your engineering team has the autonomy to adopt or integrate with third-party services without outside approval, then it also has a responsibility to ensure it can do so securely. Insecure third-party relationships—which may arise from issues such as providing a third-party with overly broad user permissions—can lead to catastrophic security failures.