ISO/IEC 27034-7
ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework
(first edition)
Abstract
ISO/IEC 27034 part 7 ”describes the minimum requirements when the required activities specified by an Application Security Control (ASC) are replaced with a Prediction Application Security Rationale (PASR). The ASC mapped to a PASR define the Expected Level of Trust for a subsequent application. In the context of an Expected Level of Trust, there is always an original application where the project team performed the activities of the indicated ASC to achieve an Actual Level of Trust. The use of Prediction Application Security Rationales (PASRs), defined by [ISO/IEC 27034-7], is applicable to project teams which have a defined Application Normative Framework (ANF) and an original application with an Actual Level of Trust. Predictions relative to aggregation of multiple components or the history of the developer in relation to other applications is outside the scope of [ISO/IEC 27034-7].”
[Source: ISO/IEC 27034-7:2018]
Introduction
Part 7 specifies a framework to deliver the assurance necessary to place trust in a computer program’s security arrangements, for example:
When one program (such as an application) relies on another (e.g. a database management system, utility, operating system or companion program) to perform critical security functions (such as user authentication, logical access control or cryptography), or
When an organisation updates or patches a trusted program.
Scope
Specifies minimum requirements when the required activities specified by an Application Security Control are replaced with a Prediction Application Security Rationale.
The ASC mapped to a PASR defines the Expected Level of Trust for a subsequent application.
The use of PASRs is applicable to project teams which have a defined Application Normative Framework and an original application with an Actual Level of Trust.
Structure
Main sections:
5: Prediction concepts
6: Predictions
7: Substantial changes
8: Confidence
9: Prediction application security rationale
10: PASR audit
11: PASR Verification
12: PASR implementation
13: Expected level of trust report
Annex A: Expected level of trust assurance case
Annex B: Comparison of ASC to PASR
Status
The current first edition of part 7 was published in 2018 and confirmed unchanged in 2023.
Commentary
The language in part 7 is decidedly formal and stilted (e.g. “An application security claim is a claim that the application team implemented certain security controls and those controls mitigate specific security risks to an acceptable level. A security prediction is the transfer of confidence in the original claim to a claim that the same security controls are also present in a subsequent version of the application and mitigate, to the same acceptable level, the same specific security risks.” - got that?). It falls a long way short of ISO’s guidance on plain English.