Information technology — Security techniques — Application security — Part 1: Overview and concepts

ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications. ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.

Technologies de l'information — Techniques de sécurité — Sécurité des applications — Partie 1: Aperçu général et concepts

General Information

Status
Published
Publication Date
20-Nov-2011
Current Stage
9093 - International Standard confirmed
Start Date
27-Oct-2022
Completion Date
19-Apr-2025
Ref Project
Standard
ISO/IEC 27034-1:2011 - Information technology -- Security techniques -- Application security
English language
67 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 27034-1
First edition
2011-11-15
Information technology — Security
techniques — Application security —
Part 1:
Overview and concepts
Technologies de l'information — Techniques de sécurité — Sécurité
des applications —
Partie 1: Aperçu général et concepts

Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
FOREWORD . VII
INTRODUCTION . VIII
0.1  GENERAL . VIII
0.2  PURPOSE . VIII
0.3  TARGETED AUDIENCES . IX
0.3.1  General . ix
0.3.2  Managers . ix
0.3.3  Provisioning and operation teams. x
0.3.4  Acquirers . xi
0.3.5  Suppliers . xi
0.3.6  Auditors . xi
0.3.7  Users . xi
0.4  PRINCIPLES . XI
0.4.1  Security is a requirement . xi
0.4.2  Application security is context-dependent . xii
0.4.3  Appropriate investment for application security . xii
0.4.4  Application security should be demonstrated . xii
0.5  RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS . XIII
0.5.1  General . xiii
0.5.2  ISO/IEC 27001, Information security management systems — Requirements . xiii
0.5.3  ISO/IEC 27002, Code of practice for information security management . xiii
0.5.4  ISO/IEC 27005, Information security risk management . xiii
0.5.5  ISO/IEC 21827, Systems Security Engineering — Capability Maturity Model® (SSE
CMM®) . xiii
0.5.6  ISO/IEC 15408-3, Evaluation criteria for IT security — Part 3: Security assurance
components . xiii
0.5.7  ISO/IEC TR 15443-1, A framework for IT security assurance — Part 1: Overview and
framework, and ISO/IEC TR 15443-3, A framework for IT security assurance — Part 3:
Analysis of assurance methods . xiv
0.5.8  ISO/IEC 15026-2, Systems and software engineering — Systems and software
assurance — Part 2: Assurance case . xiv
0.5.9  ISO/IEC 15288, Systems and software engineering — System life cycle processes, and
ISO/IEC 12207, Systems and software engineering — Software life cycle process . xiv
0.5.10  ISO/IEC 29193 (under development), Secure system engineering principles and
techniques . xiv
1  SCOPE . 1
2  NORMATIVE REFERENCES . 1
3  TERMS AND DEFINITIONS . 1
4  ABBREVIATED TERMS . 4
5  STRUCTURE OF ISO/IEC 27034 . 5
6  INTRODUCTION TO APPLICATION SECURITY . 6
6.1  GENERAL . 6
6.2  APPLICATION SECURITY VS SOFTWARE SECURITY . 6
6.3  APPLICATION SECURITY SCOPE . 6
6.3.1  General . 6
6.3.2  Business context . 7
6.3.3  Regulatory context . 7
6.3.4  Application life cycle processes . 7
6.3.5  Processes involved with the application . 7
© ISO/IEC 2011 – All rights reserved iii

6.3.6  Technological context . 8
6.3.7  Application specifications . 8
6.3.8  Application data . 8
6.3.9  Organization and user data . 8
6.3.10  Roles and permissions . 8
6.4  APPLICATION SECURITY REQUIREMENTS . 8
6.4.1  Application security requirements sources . 8
6.4.2  Application security requirements engineering . 9
6.4.3  ISMS . 9
6.5  RISK . 9
6.5.1  Application security risk . 9
6.5.2  Application vulnerabilities . 10
6.5.3  Threats to applications . 10
6.5.4  Impact on applications . 10
6.5.5  Risk management . 10
6.6  SECURITY COSTS . 10
6.7  TARGET ENVIRONMENT . 10
6.8  CONTROLS AND THEIR OBJECTIVES . 11
7  ISO/IEC 27034 OVERALL PROCESSES . 11
7.1  COMPONENTS, PROCESSES AND FRAMEWORKS . 11
7.2  ONF MANAGEMENT PROCESS . 12
7.3  APPLICATION SECURITY MANAGEMENT PROCESS . 13
7.3.1  General . 13
7.3.2  Specifying the application requirements and environment . 13
7.3.3  Assessing application security risks . 13
7.3.4  Creating and maintaining the Application Normative Framework . 13
7.3.5  Provisioning and operating the application . 14
7.3.6  Auditing the security of the application . 14
8  CONCEPTS . 14
8.1  ORGANIZATION NORMATIVE FRAMEWORK . 14
8.1.1  General . 14
8.1.2  Components . 15
8.1.3  Processes related to the Organization Normative Framework . 28
8.2  APPLICATION SECURITY RISK ASSESSMENT . 30
8.2.1  Risk assessment vs risk management . 30
8.2.2  Application risk analysis . 31
8.2.3  Risk Evaluation . 31
8.2.4  Application's Targeted Level of Trust . 31
8.2.5  Application owner acceptation . 31
8.3  APPLICATION NORMATIVE FRAMEWORK . 32
8.3.1  General . 32
8.3.2  Components . 33
8.3.3  Processes related to the security of the application . 33
8.3.4  Application's life cycle . 34
8.3.5  Processes . 34
8.4  PROVISIONING AND OPERATING THE APPLICATION . 34
8.4.1  General . 34
8.4.2  Impact of ISO/IEC 27034 on an application project . 35
8.4.3  Components . 36
8.4.4  Processes . 36
8.5  APPLICATION SECURITY AUDIT . 37
8.5.1  General . 37
8.5.2  Components . 38
iv © ISO/IEC 2011 – All rights reserved

ANNEX A (INFORMATIVE) MAPPING AN EXISTING DEVELOPMENT PROCESS TO
ISO/IEC 27034 CASE STUDY .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.