Application Security using ISO 27034
Dipen Das, CISM, CISSP, CRISC
CISM, CRISC & CISSP certified Cybersecurity Enthusiast | IT Risk | Cloud Security | Risk and Compliance | ISMS | ISO27001 | ISO 27005 | NIST CSF | Privacy | PCIDSS | Data Security |
Application security involves applying controls and measurements to an organization's applications to manage their risk. According to ISO/IEC 27000, an Information Security Management System (ISMS) provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of an organization’s information assets based on a business risk approach.
As Application Security is vast the ISO 27034 is quite complex.
To assist organizations in meeting their overall ISMS objectives, application security provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the protection of all information assets related to a company's applications in order to contribute to the organization's overall information security management system. A critical component of application security is the ability of the organization's management to demonstrate that the risks associated with using the application have been adequately managed.
As organizations implement ISMS based on ISO 27001, they face an ever-increasing need to protect their applications from unauthorized access. Organizations can acquire applications internally, outsource or purchase commercial products. ISO 27034 facilitates the seamless integration of security into the application life cycle of organizations. Defining and analyzing security requirements is essential at every stage of the life cycle of an application, as well as addressing and managing those requirements on a continuous basis as the application progresses. The ISO 27034 standard assists companies in implementing the recommendations from the ISO 27001 standard with a focus on application security in order to achieve compliance.
A combination of ISO 27001 and ISO 27002 addresses enterprise risk management through the "Plan, Do, Check, Act" approach. ISO 27034 supports application security within the ISO 27005 risk management process with a limited focus on application security.
ISO 27034 describes Organization Normative Frameworks (ONF), which are internal structures that contain a set of normative processes and elements concerning the security of applications.
The ISO 27034 consists of six documents or parts - three of which are important
In Part 1, we provide an overview of application security. It introduces definitions, concepts, principles and processes involved in application security.
In Part 2, we explore the Organization Normative Framework's components and how it is managed at the organization-level. It presents an in-depth discussion of the Organization Normative Framework, its components and the organization-level processes for managing it. This part explains the relationships among these processes, the activities associated with them, and the means by which they support the Application Security Management Process.
In part 3, we discuss in detail the processes involved in developing an application. Security requirements are identified by risk assessment and risk treatment, and they are influenced by a number of factors including application specifications, the application's target environment (business, regulatory and technological contexts), critical data, and the application owner's choices. Here's an in-depth look at how an application project works: how to determine the application requirements, what's the environment like, how to assess security risks, how to make and maintain the Application Normative Framework, how to build and run it, and how to validate its security. The purpose of this part is to explain how these processes relate, what they do, and how they contribute to security. It explains how an organization should implement the standard on an application project level and integrate it into its existing processes.
The components, processes and frameworks in ISO 27034 can be divided into two overall processes
ONF Management Process - A continuous organizational process. ONF is beyond the scope of ISO 27034 and is a overall framework for Application Security. ISO 27034-2 is a detailed document on ONF Management Process and detailed in ISO 27034 Clause 8.1.3.2
Application Security Management Process (ASMP) - A process within Application Projects. It is a process for managing security for each application and application project. It is closely tied to a "Risk Management Process" and its outcome is Application Normative Framework. ISO 27034-3 is a detailed document on Application Security Management Process (ASMP) and detailed in ISO 27034 Clause 8.1.3.2. ASMP selects all the relevant elements from the ONF that apply to a specific application / application project. This results in the Application Normative Framework (ANF). ASMP has five steps
ISO 27034 Application Security provides a framework for organizations to identify and protect sensitive information in multiple applications, but trying to protect them all would be expensive and difficult. The ISO 27034 framework used a risk management approach based on ISO 27005 and proposed components such as Application Security Controls (ASC) and processes to make sure sensitive apps meet the Targeted Level of Trust.
An organization that implements and manages ISO 27034 well will not only be able to provide expected and verifiable evidence to demonstrate that sensitive applications are adequately protected, but it will also help them with their ICT security and ISMS. In order to handle application security issues, you need to take into account your specific business, regulatory, and technological contexts. The ISO 27034 framework will provide you with clear guidance. It is also important to note that the implementation of ASCs according to your Level of Trust is a set of processes that cannot only be well integrated into the System Development Life Cycle (SDLC), but also into your daily operations on a daily basis.
Application Security Control (ASC)
In a nutshell, application security control (ASC) is a concept that prevents an application from having security weaknesses. It is a part of ISO 27034, as one of the foundation concepts. An application security control like “binding variables in SQL statements” is a common application security control (ASC) to prevent SQL injection - a common application security vulnerability in an application. In particular, ASCs are relevant to specific applications based on their context. Some organizations refer to ASCs as application security requirements. A binding SQL statement is an example of an ASC relevant to only those applications that use databases.
Application Level of Trust
In spite of the fact that ASCs utilize contexts to determine when they should apply security controls to specific applications, not all applications require the same kind of security controls. For example, an internal-facing application that does not contain any sensitive information has a very different risk profile than a web-facing application that contains customers' personally identifiable information. This is why ISO 27034 introduces the concept of Trust Levels. Every ASC can fall into one or more of these trust levels.
For example and in a very simple senario, an organization may have three different levels of trust:
As stated earlier the level of Trust is determined by a Risk Assessment Process
Organization Normative Framework
The ONF is the foundation of all application security decisions made by organizations, and it is used by organizations to make those decisions. All the application security best practices recognized by the organization are stored within the Organization Normative Framework (ONF), or from which they will be refined and derived in the future. The components of ONF are highlighted in the figure above and additionally organization should have ONF Management Process
ONF is the input to ASMP and ANF is the output.
ONF Components
Business Context - Processes, Guidelines and Standards used by the Organization that could impact IT Applications e.g. Risk Management, Project Management etc.
Regulatory Context - Laws and Regulations that could impact the IT Applications and Data Contained in Applications e.g. PCIDSS, HIPPA , GDPR etc.
Technological Context - IT products, services and technologies available to the organization for application projects. These products, services and technologies determine the threats to which applications are exposed.
Application Specifications Repository - The application specifications repository lists and documents the organization’s general IT functional requirements and corresponding pre-approved solutions. e.g. IT Infrastructure, Data Storage, Source Code, libraries, services etc.
Roles, responsibilities and qualifications - all roles, responsibilities and required professional qualifications for actors involved in the organization’s application life cycle and development e.g. Programmers, Business Analysts, Project Managers etc. Adtionally roles, responsibilities and required professional qualifications for actors involved in creating and maintaining the ONF and/or roles for creating and maintaining ASCs
Organization ASC Library - library of controls for application security. ASCs which are recognized by the organization are listed and documented on this document. These ASCs are the products of standards, best practices, roles, responsibilities, qualifications, technical, business, and regulatory contexts, and application specifications, among others. This library contains Application Security Controls organized by the protection level they offer. To inform organizations of the level of security obtained from a particular defined set of controls, we label each set 'levels of trust'. If a set of controls is described as having a low level of trust, they provide limited information security protection. A set of controls that have a high level of trust means they provide a high level of protection.
The Application Security Control is a central concept in ISO/IEC 27034. It is used for introducing security activities into the application’s life cycle and articulates the supporting evidence needed to verify its successful application.
An ASC is a security control used in application projects, defined using a precise structure presented in the ISO 27034 e.g security controls from NIST SP 800-53 can be described using the ASC structure. ASC provides the application project team with a security activity (i.e., to reduce or limit a specific security risk, and the verification team with a verification measurement activity (i.e., to confirm that the corresponding security activity has been successfully performed by examining the supporting evidence).
Application Security Life Cycle Reference Model - In most cases, companies that develop, outsource, or acquire applications will use a framework in order to develop, outsource, or acquire those applications. It is also commonly referred to as a "life cycle model". Often referred to as a "software life cycle model", an "application life cycle model", or a "system life cycle model", it is a framework for developing, outsourcing, or acquiring applications. It is possible for different groups within complex organizations to use different application life cycle models for different projects. Currently, there are many software and system life cycle models from which an organization can choose for its internal needs.
领英推荐
ISO 27034 proposes a Application Security Life Cycle Reference Model that consists of two phases and each phase is divided into three stages
Phase 1 - Application Provisioning
Phase 2 - Application Operation
Further the model presented by ISO 27034 divides into four vertical layers
All the processes the organization uses are in the ONF. Hence, every process that has anything to do with defining, managing, and verifying application security, as well as other processes, should be formally documented in the ONF.
Processes related to the Organization Normative Framework
The organization should define, document and authorize processes for creating, approving and maintaining the ONF and all of its components. The ONF Management Process and its sub-processes are permanent, organization-wide processes carried out by the organization’s ONF committee. These processes are independent from, and are performed in parallel with, the organization’s application projects. This consists of
ONF Management Process
ONF Management Subprocesses - application-security-related ONF management subprocesses map to the four stages of the ISMS process i.e. Plan-Do-Check-Act
Plan - Design the ONF
Do - Implement the ONF
Check - Monitor & Review the ONF
Act - Continuous Improvement of ONF
Application Normative Framework
Risk assessment is the second step of the risk management process hence application security risk assessment is the second step of the ASMP, which applies the risk assessment process at the application level. The ASMP when aligned with ISO 27001 the final ain is to apply the ASCs and achieve the targeted "Level of Trust: for the application / application project. The risk assessment process produces the security requirements from which the application's Targeted Level of Trust is derived.
The Application Normative Framework (ANF) is a subset of the ONF that contains only the detailed information as required for a specific application/application project to reach the Targeted Level of Trust required by the application owner during the step 2 of the ASMP.
It's the second step of the ASMP where the organization determines what security requirements the application needs to meet based on the risks associated with it. Depending on the application project, the ANF is created and completed with a comprehensive set of technical, regulatory, and business contexts, application specifications, and appropriate ASCs.
ANF Components
Business context associated with the application's environment
The business processes, methodologies, and standards that will be utilized in the application project will be derived from or refined based on the organization's ONF business context for the application.
Regulatory context associated with the application's environment
The legal and regulatory requirements that will be utilized in the application project will be derived from or refined based on the organization's ONF regulatory context for the application.
Technological context associated with the application's environment
The technological components of the application, such as its architecture, infrastructure, protocols and languages that will be utilized in the application project will be derived from or refined based on the organization's ONF technological context for the application.
Application specifications
Application actors: roles, responsibilities and qualifications
All actors who interact with the application during its life cycle should be determined such as application owners, project managers, audit officers, architects, testers, developers,
Selected ASCs for the application's life cycle
Using the organization's ASC library, we select detailed ASCs based on the application requirements and the Targeted Level of Trust of the application. Security activities are planned and implemented by the application project team in order to mitigate specific security risks in each ASC.
Processes related to the security of the application
All relevant processes related to the definition, management and verification of application security, taken from ONF, should be included in the ANF.
Application's life cycle