ISO/IEC 27034
ISO27k-aligned security awareness service

ISO/IEC 27034:2011+  Information technology — Security techniques — Application security (part 1 published, rest in DRAFT)

Introduction

ISO/IEC 27034 offers guidance on information security to those specifying, designing and programming or procuring, implementing and using application systems, in other words business and IT managers, developers and auditors, and ultimately the end-users of ICT.  The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing many ICT security risks. 

Scope and purpose

This multi-part standard provides guidance on specifying, designing/selecting and implementing information security controls through a set of processes integrated throughout an organization’s Systems Development Life Cycle/s (SDLC).  It is process-oriented.

It covers software applications developed internally, by external acquisition, outsourcing/offshoring or through hybrid approaches. 

It addresses all aspects from determining information security requirements, to protecting information accessed by an application as well as preventing unauthorized use and/or actions of an application.

The standard is SDLC-method-agnostic: it does not mandate one or more specific development methods, approaches or stages but is written in a general manner to be applicable to them all.  In this way, it complements other systems development standards and methods without conflicting with them.

One of the key driving principles is that it is worth investing more heavily in specifying, designing, developing and testing software security controls or functions if they are reusable across multiple applications, systems and situations, albeit at the risk of propagating vulnerabilities more widely than might otherwise be the case.  In a nutshell, “Do it properly, do it once, and reuse it”.  The approach may seem a little idealistic, but some far-sighted organizations are already successfully using it: it is more than just an academic interest.

ISO/IEC 27034-1:2011 —  Information technology — Security techniques — Application security — Overview and concepts

  • As with other multipartite ISO27k standards, the first part sets the scene for the remainder, providing a general introduction and outlining the remaining parts;
  • ~80 pages long with quite a bit of detail;
  • States explicitly that this is not a software application development standard, an application project management standard, nor a software development cycle standard.   Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas;
  • Explicitly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems.  For instance it defines application security not as the state of security of an application system but as “a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them”;
  • Uses the concept of defining a Targeted Level of Trust (similar to a security plan) for an application, designing and building the application to meet it, and then validating the application against it;
  • Draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems.  The text tends to emphasize deliberate threats arising from external adversaries implying the importance of confidentiality controls, arguably downplaying insider and accidental threats and the need for integrity and availability controls, but the process described ostensibly takes account of the full spectrum of security risks and controls;
  • Status: part 1 was published in 2011.  Three minor corrections plus a revised figure were published in 2014 as a technical corrigendum.  No more changes are planned.

ISO/IEC 27034-2 - Organization normative framework (draft)

  • Explains the relationships and interdependencies between processes in the Organization Normative Framework (ONF), the fancy name for a suite of application security related policies, procedures, roles and tools;
  • The standard is intended to guide organizations in designing, implementing, operating and auditing their ONF;
  • The approach is formal and bureaucratic e.g. a committee is needed to oversee the ONF, hence it is most likely to suit organizations who have or want a highly structured way of securing applications they develop;
  • Status: part 2 is at DIS stage and may be published by the end of 2014.

ISO/IEC 27034-3 - Application security management process (draft)

  • Part 3 will describe the Application Security Management Process i.e. “the overall process for managing security on each specific application used by an organization”;
  • This may be the most broadly applicable and useful part of this standard;
  • Status: part 3 is at WD stage.  The latest draft has about 40 pages of useful, detailed and explicit content.

ISO/IEC 27034-4 - Application security validation (draft)

  • Part 1 says Part 4 will describe an application security validation and certification process to assess and compare the ‘level of trust’ of an application system against its previously stated [information security] requirements;
  • Status: no part 4 text is available as yet (? I may have missed it)

ISO/IEC 27034-5 - Protocols and application security control data structure (draft)

  • Part 5 defines the Application Security Control (ASC) data structure, providing requirements, descriptions, graphical representations and XML schema for the data model.  The XML schema, based on ISO/TS 15000: Electronic business eXtensible Markup Language ebXML, is designated as the standard interchange format for ASCs;
  • The purpose of part 5 is to facilitate the implementation of the ISO/IEC 27034 application security framework and the communication and exchange of ASCs by defining a formal structure for ASCs and certain other components of the framework.  It will enable the establishment of libraries of reusable application security functions that may be shared both within and between organizations;
  • Status: part 5 has been split into two sub-parts. Part 5-1 is at WD stage and 5-2 is at CD stage. 

ISO/IEC 27034-6 - Security guidance for specific applications (draft)

  • Part 6 will provide examples of Application Security Controls (ASCs) tailored for “specific application security requirements”.  [I don’t yet know which specific requirements that means.]
  • Status: part 6 is at CD stage.

ISO/IEC 27034-7 - Application security assurance prediction (draft)

  • Part 7 concerns the assurance necessary to place trust in a program’s security arrangements, for example when one program (such as an application) relies on another (e.g. a database management system, utility, operating system or companion program) to perform critical security functions (such as user authentication, logical access control or cryptography), or when an organization updates or patches a trusted program;
  • The standard encourages users to consider, determine/specify and document the trust or criticality (called “security predictability” in the curious language of the standard) as the basis for rational decisions by them and by software suppliers concerning the way software is designed, developed, tested, delivered, managed, operated and maintained;
  • Status: part 7 is at WD stage.  The present draft is rather academic in style.  As well as the usual raft of editorial comments, some more meaty technical comments have been received.

All parts of the standard should with JTC1/SC17’s standards on software engineering, and the terminology used should align with ISO 31000 (fingers crossed).

Copyright © 2014 IsecT Ltd.