National bodies that are members of ISO or IEC 4 participate in the development of International Standards through technical committees established by the respective 5 organization to deal with particular fields of technical activity. Other international organizations, governmental and non-governmental, in liaison with ISO and 7 IEC, also take part in the work. Draft International Standards 11 adopted by the joint technical committee are circulated to national bodies for voting.
They are increasingly protecting themselves by operating formalized information security management 4 systems. At the technical level they protect themselves with firewalls, antivirus and intrusion detection systems.
In addition user staff performs checks on the results of processing to determine the 7 correctness of the data and the information produced by the systems. For instance, a firewall may not provide 9 adequate protection against vulnerabilities resulting from faulty software. This kind of security fault can only be fixed 10 by a software patch from the development team. The fact is, all security problems that can be solved with a software 11 patch are application security problems.
Mismanagement of the application can have the same impact. At a minimum, common security vulnerabilities resulting from insecure coding and 26 development practices can be eliminated to provide a more secure and resilient code base. The following actors will find values and benefits: 10 0. An organisation can claim 6 an application is secure, but this affirmation is only valid for this organisation. This protection may ensure not only the availability, integrity and confidentiality of the data, 18 but also the authentication and the non-repudiation of the users who will access it.
This should be contrasted with system software 15 which is involved in integrating a computer's various capabilities, but typically does not directly apply 16 them in the performance of tasks that benefit the user.
In this context the term application refers to 17 both the application software and its implementation. Business processes include people and technologies. It must be possible to show supporting evidence to 36 demonstrate that the target level of trust was reached. We will not differentiate between these user types because the access of all these 42 users must be controlled.
Verification in a life cycle context is a set of activities that compares a product of the life cycle 3 against the required characteristics for that product.
This may include, but is not limited to, 4 specified requirements, design description and the system itself. It introduces definitions, 5 concepts, principles and the overall application security process.
It also identifies actors involved in these processes by identifying their roles, 28 responsibilities and qualifications. More 4 specifically, these will provide measurable evidence that applications reach and maintain a target level 5 of trust.
This framework 18 contains all the regulations, laws, best practices, roles and responsibilities accepted by the 19 organisation. It defines all organisation contexts and becomes the unique organisation referential for 20 application security. A verification team 7 will verify that this process is used correctly. The targeted application level or trust, the application contexts legal, business and 14 technological , the actors and the application characteristics will determine the exact contents of the 15 ANF.
The execution team will implement the security activities contained in the ANF. This process may be performed by an 30 internal or an external verification team, using the controls provided by the Application Normative 31 Framework.
It will measure the actual application level of trust at a specific 34 time. Depending of the level of trust needed for the particular application project, this process may be 35 unique, periodic, or event-driven. Technology Automates Process Supports Participate Project Execution team Generates Product 3 4 Figure 2 — Roles and responsibilities in a typical application project 5 6 Figure 3 shows how this standard adds new roles and responsibilities, along with key components of 7 the standard: the ONF and the ANF.
The execution team, the verification team and the users will only be 5 impacted by the ANF, a project-level component that contains precise and detailed security measures 6 and controls.
It 8 comprises essential components, processes that utilize those components, and processes for 9 managing the ONF itself. For example, code reviews can only be 12 performed in a project if coding guidelines can be found in the ONF.
Examples of technological contexts that may have an impact on application 26 security: client-server infrastructure, web infrastructure, network infrastructure, development 27 environment and tools, etc. For 2 example, if the infrastructure that the business application will be run in can not support bi-directional 3 TLS 1.
The 4 organisation will have to select another measure for bi-directional authentication, if that functionality is 5 needed at the target level of trust. This need should be added to the ONF and an organisational process should ensure 12 that approved technologies are found to fulfil the new requirements.
This is an organisational-level policy that 10 will help ensure that critical roles for all processes are filled, that responsibilities are defined, that 11 conflicts of interest are avoided, and that people filling the roles have sufficient qualifications. In this example, the organisation uses 10 23 levels of trust.
The organisation may use any name for 6 this level of trust. Even if the risk analysis for this application resulted in a target level 11 of trust zero, this ASM shall still be performed. It is the tool used to 15 actually implement application security and verify the result. This ensures that the organisation can prevent 26 the execution team from bypassing critical security activities.
It identifies the needs for the manager, the team 26 leader, the development team, the auditor, etc. In the example in Figure 5, an ASM has been 30 defined at level zero for any business applications using online payment.
This ASM is mandatory for 31 all projects when the target level of trust is 0 to 9. If the target level of trust is 10, a different ASM is 32 used. May specify that a periodic control will be required. It contains all the ASMs included in level of trust zero, which is defined as the 22 minimum acceptable level of trust the organisation will accept. The ASMs included at level zero can 23 not be removed during an application project. This is further discussed in subclause 6.
It presents a process-oriented view of 3 application security activities and controls. It has often been in use for quite some time and has been refined over the years.
It is 6 NOT a new concept brought by this standard. This would make the ASM non-portable, useful for a single 14 organisation only. Verweisquelle konnte nicht 17 gefunden werden. This International Standard presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security. Its purpose is to provide general guidance on application security that will be supported, in turn, by more detailed methods and standards in those other areas; Explicitly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems.
The text tends to emphasize deliberate threats arising from external adversaries implying the importance of confidentiality controls, arguably downplaying insider and accidental threats and the need for integrity and availability controls, but the process described ostensibly takes account of the full spectrum of security risks and controls; Status: part 1 was published in Three minor corrections plus a revised figure were published in as a technical corrigendum.
Status: part 5 dash 1 was published in as a T echnical S pecification. Additionally, the prediction will state the conditions under which the prediction is valid and invalid. Status: part 7 was published in
0コメント