Application security in the ISO27001 Environment

Application security in the ISO27001 Environment

VINOD VASUDEVAN
ANOOP MANGLA
FIROSH UMMER
SACHIN SHETTY
SANGITA PAKALA
SIDDHARTH ANBALAHAN
Copyright Date: 2008
Published by: IT Governance Publishing
Pages: 220
https://www.jstor.org/stable/j.ctt5hh6rv
  • Cite this Item
  • Book Info
    Application security in the ISO27001 Environment
    Book Description:

    Application Security in the ISO27001 Environment demonstrates how to secure software applications using ISO/IEC 27001. It does this in the context of a wider roll out of an information security management system (ISMS) that conforms to ISO/IEC 27001. Over 224 pages, they address a range of essential topics, including an introduction to ISO27001 and ISO27002, secure development lifecycles, threat profiling and security testing, and secure coding guidelines. As well as showing how to use ISO27001 to secure individual applications, the book demonstrates how to tackle this issue as part of the development and roll out of an organisation-wide Information Security Management System conforming to the Standard. Software packages are the conduits to critical business data, thus securing applications adequately is of the utmost importance. Thus you must order a copy of this book today, as it is the de-facto standard on application security in the ISO/IEC 27001 environment. Key Features: De-facto standard on application security in the ISO/IEC 27001 environment. Leads the reader step-by-step through all of the phases of how to secure software applications in the context of rolling out of an ISO/IEC 27001 ISMS. Demonstrates how to secure such mainstream applications as the Microsoft Office suite, SAP, Lotus Notes, Adobe applications, SAGE, Skype, and many other software applications.

    eISBN: 978-1-905356-36-2
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-5)
  2. PREFACE
    (pp. 6-7)
  3. Acknowledgements
    (pp. 7-7)
    Vinod Vasudevan
  4. Table of Contents
    (pp. 8-8)
  5. CHAPTER 1: INTRODUCTION TO THE INTERNATIONAL INFORMATION SECURITY STANDARDS ISO27001 AND ISO27002
    (pp. 9-18)

    It is a truism to say that information is the currency of the information age. Information is, in many cases, the most valuable asset possessed by an organisation, even if that information has not been subject to a formal and comprehensive valuation.

    IT governance is the discipline that deals with the structures, standards and processes that boards and management teams apply to effectively manage, protect and exploit their organisations’ information assets.

    Information security management is that subset of IT governance that focuses on protecting and securing an organisation’s information assets. The international standard ISO27001 defines information security as the ‘preservation...

  6. CHAPTER 2: THE ISO27001 IMPLEMENTATION PROJECT
    (pp. 19-30)

    The successful design, development and implementation of an ISMS that will be in line with the requirements of ISO27001 is a significant project. There are a number of important aspects to such a project, all of which are developed in detail inInternational IT Governance: an Executive Guide to ISO27001/ISO17799. A project team will need to be set up and it will need the full support of management.

    ISO27001 adopts the Plan-Do-Check-Act (PDCA) model that anyone familiar with other management system standards, such as ISO9001, will recognise. To implement an ISO27001-compliant ISMS, an organisation needs to ‘Plan’ what it is...

  7. CHAPTER 3: RISK ASSESSMENT
    (pp. 31-44)

    Any organisation pursuing ISO27001 certification for its information security management system will need an approach to risk assessment that meets the requirements of ISO/IEC27001:2005. Clause 4.2.1 b) of ISO27001 requires the organisation to take an explicitly risk-based approach to the selection and operation of information security controls.14

    Risk management is a discipline for dealing with non-speculative risks, those risks from which only a loss can occur. In other words, speculative risks can be seen as the subject of an organisation’s business strategy whereas non-speculative risks, which can reduce the value of the assets with which the organisation undertakes its speculative...

  8. CHAPTER 4: INTRODUCTION TO APPLICATION SECURITY THREATS
    (pp. 45-49)

    All businesses today use software automation to streamline their core functions – selling, procuring, production and customer relationship management.

    People performing these functions make use of data to perform their work. For example, employees working in a bank use customers’ account balances to clear issued-cheques, to create account statements or to calculate interest paid. The data, the customers’ account balance in this case, is fundamental for this function of the bank. Any loss or inaccuracy of customers’ account balances will jeopardise the bank’s functioning. Similarly, since customers’ account balances are important data, a bank wants only authorised people to have...

  9. CHAPTER 5: APPLICATION SECURITY AND ISO27001
    (pp. 50-96)

    As the threats to applications increase, we need a structured approach for managing the security of our applications. ISO27001 is the international standard for information security management best practice, and is the most comprehensive standard for information security. It provides a framework to manage the security of our applications.

    ISO27001 defines controls for the acquisition, development, customisation, maintenance and operation of applications. The controls are process-centric and technology-independent, thus making the standard strong. The standard does not specify the technical details for the controls. It is expected that organisations will draw on the more detailed technical guidance available from specific...

  10. CHAPTER 6: ATTACKS ON APPLICATIONS
    (pp. 97-124)

    In this chapter we will look at some of the common attacks on applications and their effects. The object of this chapter is to show you how easy many application layer attacks are.

    Application-specific attacks can be targeted at a specific user or at a large mass of users at one time. These attacks are, increasingly, the preserve of automated ‘bots’24that scan as many systems on or linked to the internet as possible with an eye to exploiting flawed or vulnerable applications. The financial implications of these exploits, the loss of reputation, the resultant downtime and the lost productivity...

  11. CHAPTER 7: SECURE DEVELOPMENT LIFECYCLE
    (pp. 125-155)

    Now that we have seen some of the more common attacks on applications, let’s take a look at the vital task of securing software. All of us usually focus on the functionality of our software first. We overlook security when software is first built. Very often, security only comes into the picture after the application has been developed and deployed.

    But research shows that the cost and effort of fixing security weaknesses after deployment is much higher than building security into the application in the first place.

    Having said that, please note that security is not a one-time activity. If...

  12. CHAPTER 8: THREAT PROFILING AND SECURITY TESTING
    (pp. 156-182)

    In Chapter 7 we discussed the approach of integrating security requirement analysis, design, implementation and testing into the software development lifecycle stages. In this chapter we will discuss the process of identifying threats to the application and using them in different security testing methods.

    Studying the motivations and methods of an adversary is the first step in designing a secure application. The goals and motivations of an adversary are treated as thethreatsto the application. The structured process of identifying and documenting all possible security threats is calledthreat profiling. The justification for implementing an application security feature is...

  13. CHAPTER 9: SECURE CODING GUIDELINES
    (pp. 183-219)

    In Chapter 7 we discussed the role of secure coding guidelines in ensuring that applications are secure. In this chapter, we look at some of the most important guidelines developers should follow. Since many of these are low level code writing requirements, we illustrate the guidelines with code snippets. As the coding guidelines are platform-agnostic and apply to all popular platforms, we show code snippets only for one platform, .Net. The examples we show with .Net can be ported to J2EE, PHP, Perl and other platforms too.

    We classify the coding guidelines into six categories:

    1. Input validation guidelines.

    2. Authentication guidelines....

  14. Back Matter
    (pp. 220-220)