ISO/IEC 27034-1:2011
(Main)Information technology — Security techniques — Application security — Part 1: Overview and concepts
Information technology — Security techniques — Application security — Part 1: Overview and concepts
ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications. ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.
Technologies de l'information — Techniques de sécurité — Sécurité des applications — Partie 1: Aperçu général et concepts
General Information
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27034-1
First edition
2011-11-15
Information technology — Security
techniques — Application security —
Part 1:
Overview and concepts
Technologies de l'information — Techniques de sécurité — Sécurité
des applications —
Partie 1: Aperçu général et concepts
Reference number
©
ISO/IEC 2011
© ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
Contents Page
FOREWORD . VII
INTRODUCTION . VIII
0.1 GENERAL . VIII
0.2 PURPOSE . VIII
0.3 TARGETED AUDIENCES . IX
0.3.1 General . ix
0.3.2 Managers . ix
0.3.3 Provisioning and operation teams. x
0.3.4 Acquirers . xi
0.3.5 Suppliers . xi
0.3.6 Auditors . xi
0.3.7 Users . xi
0.4 PRINCIPLES . XI
0.4.1 Security is a requirement . xi
0.4.2 Application security is context-dependent . xii
0.4.3 Appropriate investment for application security . xii
0.4.4 Application security should be demonstrated . xii
0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS . XIII
0.5.1 General . xiii
0.5.2 ISO/IEC 27001, Information security management systems — Requirements . xiii
0.5.3 ISO/IEC 27002, Code of practice for information security management . xiii
0.5.4 ISO/IEC 27005, Information security risk management . xiii
0.5.5 ISO/IEC 21827, Systems Security Engineering — Capability Maturity Model® (SSE
CMM®) . xiii
0.5.6 ISO/IEC 15408-3, Evaluation criteria for IT security — Part 3: Security assurance
components . xiii
0.5.7 ISO/IEC TR 15443-1, A framework for IT security assurance — Part 1: Overview and
framework, and ISO/IEC TR 15443-3, A framework for IT security assurance — Part 3:
Analysis of assurance methods . xiv
0.5.8 ISO/IEC 15026-2, Systems and software engineering — Systems and software
assurance — Part 2: Assurance case . xiv
0.5.9 ISO/IEC 15288, Systems and software engineering — System life cycle processes, and
ISO/IEC 12207, Systems and software engineering — Software life cycle process . xiv
0.5.10 ISO/IEC 29193 (under development), Secure system engineering principles and
techniques . xiv
1 SCOPE . 1
2 NORMATIVE REFERENCES . 1
3 TERMS AND DEFINITIONS . 1
4 ABBREVIATED TERMS . 4
5 STRUCTURE OF ISO/IEC 27034 . 5
6 INTRODUCTION TO APPLICATION SECURITY . 6
6.1 GENERAL . 6
6.2 APPLICATION SECURITY VS SOFTWARE SECURITY . 6
6.3 APPLICATION SECURITY SCOPE . 6
6.3.1 General . 6
6.3.2 Business context . 7
6.3.3 Regulatory context . 7
6.3.4 Application life cycle processes . 7
6.3.5 Processes involved with the application . 7
© ISO/IEC 2011 – All rights reserved iii
6.3.6 Technological context . 8
6.3.7 Application specifications . 8
6.3.8 Application data . 8
6.3.9 Organization and user data . 8
6.3.10 Roles and permissions . 8
6.4 APPLICATION SECURITY REQUIREMENTS . 8
6.4.1 Application security requirements sources . 8
6.4.2 Application security requirements engineering . 9
6.4.3 ISMS . 9
6.5 RISK . 9
6.5.1 Application security risk . 9
6.5.2 Application vulnerabilities . 10
6.5.3 Threats to applications . 10
6.5.4 Impact on applications . 10
6.5.5 Risk management . 10
6.6 SECURITY COSTS . 10
6.7 TARGET ENVIRONMENT . 10
6.8 CONTROLS AND THEIR OBJECTIVES . 11
7 ISO/IEC 27034 OVERALL PROCESSES . 11
7.1 COMPONENTS, PROCESSES AND FRAMEWORKS . 11
7.2 ONF MANAGEMENT PROCESS . 12
7.3 APPLICATION SECURITY MANAGEMENT PROCESS . 13
7.3.1 General . 13
7.3.2 Specifying the application requirements and environment . 13
7.3.3 Assessing application security risks . 13
7.3.4 Creating and maintaining the Application Normative Framework . 13
7.3.5 Provisioning and operating the application . 14
7.3.6 Auditing the security of the application . 14
8 CONCEPTS . 14
8.1 ORGANIZATION NORMATIVE FRAMEWORK . 14
8.1.1 General . 14
8.1.2 Components . 15
8.1.3 Processes related to the Organization Normative Framework . 28
8.2 APPLICATION SECURITY RISK ASSESSMENT . 30
8.2.1 Risk assessment vs risk management . 30
8.2.2 Application risk analysis . 31
8.2.3 Risk Evaluation . 31
8.2.4 Application's Targeted Level of Trust . 31
8.2.5 Application owner acceptation . 31
8.3 APPLICATION NORMATIVE FRAMEWORK . 32
8.3.1 General . 32
8.3.2 Components . 33
8.3.3 Processes related to the security of the application . 33
8.3.4 Application's life cycle . 34
8.3.5 Processes . 34
8.4 PROVISIONING AND OPERATING THE APPLICATION . 34
8.4.1 General . 34
8.4.2 Impact of ISO/IEC 27034 on an application project . 35
8.4.3 Components . 36
8.4.4 Processes . 36
8.5 APPLICATION SECURITY AUDIT . 37
8.5.1 General . 37
8.5.2 Components . 38
iv © ISO/IEC 2011 – All rights reserved
ANNEX A (INFORMATIVE) MAPPING AN EXISTING DEVELOPMENT PROCESS TO
ISO/IEC 27034 CASE STUDY .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.