ISO/IEC 27034 Information technology — Security techniques — Application security (draft) 
This is an ambitious project to develop information security guidance for those specifying, designing/programming or procuring, implementing and using application systems (i.e. business and IT managers, developers, auditors and end-users), ensuring that the desired level of security is attained in business applications in line with the organization’s ISMS.
The multi-part standard will provide guidance on specifying, designing/selecting and implementing information security controls through a set of processes integrated throughout an organization’s Systems Development Life Cycles. It will cover software applications developed internally, by external acquisition, outsourcing/offshoring or through hybrid approaches. It will address all aspects from determining information security requirements, to protecting information accessed by an application as well as preventing unauthorized use and/or actions of an application.
The standard will be ‘SDLC method agnostic’, in other words it will not mandate particular development methods, approaches or stages but will be written in a general manner to be applicable to all. In this way, it will complement other systems development standards without conflicting with them.
ISO/IEC 27034-1 - Information technology — Security techniques — Application security overview and concepts (draft)
-
As with other multi-partite ISO27k standards this part will set the scene for the remainder, providing a general introduction and outline of the remaining parts;
-
Currently at 2nd CD stage;
-
The part 1 draft is 78 pages long;
-
States explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas;
-
The standard explicitly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as “a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them”;
-
The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.
ISO/IEC 27034-2 - Organization Normative Framework (draft)
ISO/IEC 27034-3 - Application Security Management Process (pre-draft)
-
No text available as yet;
-
Part 1 says it will describe the [information security relevant] processes in an application development project, plus their relationships and interdependencies;
-
It sounds like this will be the most broadly applicable and useful part of this standard.
ISO/IEC 27034-4 - Application security validation (pre-draft)
-
No text available as yet;
-
Part 1 says it will describe an application security validation and certification process to assess and compare the ‘level of trust’ of an application system against its previously stated [information security] requirements.
ISO/IEC 27034-5 - Protocols and application security control data structure (pre-draft)
ISO/IEC 27034-6 - Security guidance for specific applications (pre-draft) 
-
No text available as yet;
-
Part 1 says part 6, “if needed”, could provide examples of Application Security Controls (ASCs) tailored for “specific application security requirements”.
Hopefully all parts of the standard will align with JTC1/SC17’s standards on software engineering, and the terminology used should align with ISO 31000.
|
