ASD draws a hard line on developers lacking security skills

Organisations should not hand software projects to developers who don't have the security skills to handle them safely: that's the blunt official message from the Australian Signals Directorate (ASD).

ASD has updated its Information Security Manual (ISM) with new controls, one of which (ISM-2121) states that "software developers that lack sufficient cyber security knowledge and skills required for their projects or tasks are not used."

The vetting requirement for coders is part of ASD wanting a "secure by default" approach to software development.

It aims for software to be secure "out-of-the-box" with little or no additional setup or configuration to achieve an adequate level of security.

A companion control in the ISM suggests developers undertake training or upskilling on secure coding and programming practices, with another control asking for the knowledge and skills being recorded by organisations in a register that is maintained.

ASD also recommends the use of threat intelligence services with AI models for event detection.

The ISM also directs the use of AI models for penetration testing and for software security testing.

Watch what goes onto LinkedIn

Three new controls advise personnel to avoid posting about their work-related skills, duties and security clearances online on unauthorised online platforms.

The ISM-2107 control also encourages the use of privacy settings to restrict who can view personal posts.

Such recommendations come in an era in which adversaries use open source intelligence (OSINT) to target people and projects for espionage purposes, costing Australia billions of dollars a year.

Australian Security Intelligence Organisation (ASIO) director-general Mike Burgess illustrated the risk at the 26th Annual Hawke Lecture in July 2025, describing an Australian company that developed an expensive and highly sophisticated military capability, only for another country to unveil a prototype with unmistakable similarities shortly afterwards.

"While I cannot categorically say espionage was involved, spy chiefs do not believe in coincidences," Burgess said.

ASIO identified more than 100 individuals on LinkedIn saying they worked on the project, with others posting specifications and functionality on open discussion forums.

ASD aims its 261-page ISM at security professionals in organisations and at vendors.

All Australian government agencies and organisations that process government data must follow the guidance.

For others, unless legislation or a direction compels organisations to do so, they are not required legally to comply.