1、BSI Standards Publication BS ISO/IEC 27034-1:2011 Information technology Security techniques Application security Part 1: Overview and concepts Incorporating corrigendum January 2014BS ISO/IEC 27034-1:2011 National foreword This British Standard is the UK implementation of ISO/IEC 27034-1:2011, inco
2、rporating corrigendum January 2014. The start and finish of text introduced or altered by corrigendum is indicated in the text by tags. Text altered by ISO/IEC corrigendum January 2014 is indicated in the text by . The UK participation in its preparation was entrusted to Technical Committee IST/33,
3、IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2
4、014. Published by BSI Standards Limited 2014 ISBN 978 0 580 84428 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2011. Amendments/corr
5、igenda issued since publication Date Text affected 28 February 2014 Implementation of ISO/IEC corrigendum January 2014 BRITISH STANDARD Reference number ISO/IEC 27034-1:2011(E) ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC 27034-1 First edition 2011-11-15 Information technology Security techniques Appl
6、ication security Part 1: Overview and concepts Technologies de linformation Techniques de scurit Scurit des applications Partie 1: Aperu gnral et concepts BS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless otherwise specified, no par
7、t of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 5
8、6 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2011 All rights reservedBS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page FOREWORD . VII INTRODUCTION VIII 0.1
9、GENERAL VIII 0.2 PURPOSE . VIII 0.3 TARGETED AUDIENCES IX 0.3.1 General . ix 0.3.2 Managers ix 0.3.3 Provisioning and operation teams x 0.3.4 Acquirers . xi 0.3.5 Suppliers . xi 0.3.6 Auditors . xi 0.3.7 Users . xi 0.4 PRINCIPLES XI 0.4.1 Security is a requirement xi 0.4.2 Application security is co
10、ntext-dependent . xii 0.4.3 Appropriate investment for application security . xii 0.4.4 Application security should be demonstrated xii 0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS . XIII 0.5.1 General . xiii 0.5.2 ISO/IEC 27001, Information security management systems Requirements xiii 0.5.3 I
11、SO/IEC 27002, Code of practice for information security management xiii 0.5.4 ISO/IEC 27005, Information security risk management . xiii 0.5.5 ISO/IEC 21827, Systems Security Engineering Capability Maturity Model (SSE CMM) xiii 0.5.6 ISO/IEC 15408-3, Evaluation criteria for IT security Part 3: Secur
12、ity assurance components . xiii 0.5.7 ISO/IEC TR 15443-1, A framework for IT security assurance Part 1: Overview and framework, and ISO/IEC TR 15443-3, A framework for IT security assurance Part 3: Analysis of assurance methods xiv 0.5.8 ISO/IEC 15026-2, Systems and software engineering Systems and
13、software assurance Part 2: Assurance case xiv 0.5.9 ISO/IEC 15288, Systems and software engineering System life cycle processes, and ISO/IEC 12207, Systems and software engineering Software life cycle process xiv 0.5.10 ISO/IEC 29193 (under development), Secure system engineering principles and tech
14、niques . xiv 1 SCOPE . 1 2 NORMATIVE REFERENCES . 1 3 TERMS AND DEFINITIONS . 1 4 ABBREVIATED TERMS 4 5 STRUCTURE OF ISO/IEC 27034 5 6 INTRODUCTION TO APPLICATION SECURITY . 6 6.1 GENERAL . 6 6.2 APPLICATION SECURITY VS SOFTWARE SECURITY 6 6.3 APPLICATION SECURITY SCOPE . 6 6.3.1 General 6 6.3.2 Bus
15、iness context 7 6.3.3 Regulatory context . 7 6.3.4 Application life cycle processes . 7 6.3.5 Processes involved with the application 7 BS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) iv ISO/IEC 2011 All rights reserved6.3.6 Technological context 8 6.3.7 Application specifications 8 6.3.8 Applicatio
16、n data . 8 6.3.9 Organization and user data . 8 6.3.10 Roles and permissions 8 6.4 APPLICATION SECURITY REQUIREMENTS . 8 6.4.1 Application security requirements sources 8 6.4.2 Application security requirements engineering . 9 6.4.3 ISMS 9 6.5 RISK . 9 6.5.1 Application security risk . 9 6.5.2 Appli
17、cation vulnerabilities 10 6.5.3 Threats to applications 10 6.5.4 Impact on applications . 10 6.5.5 Risk management . 10 6.6 SECURITY COSTS 10 6.7 TARGET ENVIRONMENT 10 6.8 CONTROLS AND THEIR OBJECTIVES 11 7 ISO/IEC 27034 OVERALL PROCESSES . 11 7.1 COMPONENTS, PROCESSES AND FRAMEWORKS 11 7.2 ONF MANA
18、GEMENT PROCESS . 12 7.3 APPLICATION SECURITY MANAGEMENT PROCESS . 13 7.3.1 General 13 7.3.2 Specifying the application requirements and environment . 13 7.3.3 Assessing application security risks 13 7.3.4 Creating and maintaining the Application Normative Framework . 13 7.3.5 Provisioning and operat
19、ing the application . 14 7.3.6 Auditing the security of the application 14 8 CONCEPTS . 14 8.1 ORGANIZATION NORMATIVE FRAMEWORK . 14 8.1.1 General 14 8.1.2 Components 15 8.1.3 Processes related to the Organization Normative Framework . 28 8.2 APPLICATION SECURITY RISK ASSESSMENT . 30 8.2.1 Risk asse
20、ssment vs risk management 30 8.2.2 Application risk analysis 31 8.2.3 Risk Evaluation 31 8.2.4 Applications Targeted Level of Trust 31 8.2.5 Application owner acceptation 31 8.3 APPLICATION NORMATIVE FRAMEWORK 32 8.3.1 General 32 8.3.2 Components 33 8.3.3 Processes related to the security of the app
21、lication 33 8.3.4 Applications life cycle . 34 8.3.5 Processes 34 8.4 PROVISIONING AND OPERATING THE APPLICATION . 34 8.4.1 General 34 8.4.2 Impact of ISO/IEC 27034 on an application project 35 8.4.3 Components 36 8.4.4 Processes 36 8.5 APPLICATION SECURITY AUDIT . 37 8.5.1 General 37 8.5.2 Componen
22、ts 38 BS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) ISO/IEC 2011 All rights reserved vANNEX A (INFORMATIVE) MAPPING AN EXISTING DEVELOPMENT PROCESS TO ISO/IEC 27034 CASE STUDY . 39 A.1 GENERAL . 39 A.2 ABOUT THE SECURITY DEVELOPMENT LIFECYCLE 39 A.3 SDL MAPPED TO THE ORGANIZATION NORMATIVE FRAMEWO
23、RK . 40 A.4 BUSINESS CONTEXT . 41 A.5 REGULATORY CONTEXT . 41 A.6 APPLICATION SPECIFICATIONS REPOSITORY 42 A.7 TECHNOLOGICAL CONTEXT . 42 A.8 ROLES, RESPONSIBILITIES AND QUALIFICATIONS . 43 A.9 ORGANIZATION ASC LIBRARY 44 A.9.1 Training 45 A.9.2 Requirements . 45 A.9.3 Design 46 A.9.4 Implementation
24、. 47 A.9.5 Verification . 47 A.9.6 Release 48 A.10 APPLICATION SECURITY AUDIT . 49 A.11 APPLICATION LIFE CYCLE MODEL . 51 A.12 SDL MAPPED TO THE APPLICATION SECURITY LIFE CYCLE REFERENCE MODEL 53 ANNEX B (INFORMATIVE) MAPPING ASC WITH AN EXISTING STANDARD . 55 B.1 ASC CANDIDATE CATEGORIES 55 B.1.1 C
25、ommon security control-related considerations . 55 B.1.2 Operational/environmental-related considerations 55 B.1.3 Physical Infrastructure-related considerations . 55 B.1.4 Public access-related considerations 55 B.1.5 Technology-related considerations 56 B.1.6 Policy/regulatory-related consideratio
26、ns 56 B.1.7 Scalability-related considerations 56 B.1.8 Security objective-related considerations 56 B.2 CLASSES OF SECURITY CONTROLS 57 B.3 SUB-CLASSES IN THE ACCESS CONTROL (AC) CLASS 58 B.4 DETAILED ACCESS CONTROL CLASSES 59 B.4.1 AC-1 Access control policy and procedures 59 B.4.2 AC-2 Account ma
27、nagement . 59 B.4.3 AC-17 Remote access . 60 B.5 DEFINITION OF AN ASC BUILT FROM A SAMPLE SP 800-53 CONTROL 61 B.5.1 Control AU-14 as described in SP 800-53 Rev. 3 . 61 B.5.2 Control AU-14 as described using ISO/IEC 27034 ASC format 62 ANNEX C (INFORMATIVE) ISO/IEC 27005 RISK MANAGEMENT PROCESS MAPP
28、ED WITH THE ASMP . 65 BIBLIOGRAPHY 67 BS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) vi ISO/IEC 2011 All rights reservedFigures Page Figure 1 Relationship to other International Standards xiii Figure 2 Application Security Scope 6 Figure 3 Organization Management Processes 12 Figure 4 Organization
29、Normative Framework (simplified) .15 Figure 5 Graphical representation of an example of an Organization ASC Library 18 Figure 6 Components of an ASC .20 Figure 7 Graph of ASCs 21 Figure 8 Top-level view of the Application Security Life Cycle Reference Model .24 Figure 9 ONF Management Process .28 Fi
30、gure 10 Application Normative Framework 32 Figure 11 Impact of ISO/IEC 27034 on roles and responsibilities in a typical application project.35 Figure 12 ASC used as a security activity .36 Figure 13 ASC used as a measurement 37 Figure 14 Overview of the application security verification process 38 F
31、igure A.1 Security Development Lifecycle .40 Figure A.2 SDL mapped to the Organization Normative Framework 40 Figure A.3 Example of an ASC tree .45 Figure A.4 Example of a Line of Business Application for Application Security Audit .50 Figure A.5 SDL Process Illustration .52 Figure A.6 SDL mapped to
32、 the Application Security Life Cycle Reference Model 53 Figure A.7 Detailed mapping of SDL phases with stages in the Application Security Life Cycle Reference Model .53 Figure C.1 ISO/IEC 27005 risk management process mapped with the ASMP. 65 Tables Page Table 1 Application Scope vs Application Secu
33、rity Scope 7 Table 2 Mapping of ISMS and application security-related ONF management subprocesses . 29 Table B.1 Security control classes, families, and identifiers 57 Table B.2 Security control classes and security control baselines for low-impact, moderate-impact, and high-impact information syste
34、ms . 58 Table B.3 SP800-53 control AU-14 described using ISO/IEC 27034 ASC format 62 BS ISO/IEC 27034-1:2011 ISO/IEC 27034-1:2011(E) ISO/IEC 2011 All rights reserved viiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the
35、specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technic
36、al committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. Inte
37、rnational Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for vot
38、ing. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any
39、or all such patent rights. ISO/IEC 27034-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 27034 consists of the following parts, under the general title Information technology Security techniques Application securi
40、ty: Part 1: Overview and concepts The following parts are under preparation: Part 2: Organization normative framework Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security control data structure BS ISO/IEC 27034-1:2011 ISO/
41、IEC 27034-1:2011(E) viii ISO/IEC 2011 All rights reservedIntroduction 0.1 General Organizations should protect their information and technological infrastructures in order to stay in business. Traditionally this has been addressed at the IT level by protecting the perimeter and such technological in
42、frastructure components as computers and networks, which is generally insufficient. In addition, organizations are increasingly protecting themselves at the governance level by operating formalized, tested and verified information security management systems (ISMS). A systematic approach contributes
43、 to an effective information security management system as described in ISO/IEC 27001. However, organizations face an ever-growing need to protect their information at the application level. Applications should be protected against vulnerabilities which might be inherent to the application itself (e
44、.g. software defects), appear in the course of the applications life cycle (e.g. through changes to the application), or arise due to the use of the application in a context for which it was not intended. A systematic approach to increased application security provides evidence that information bein
45、g used or stored by an organizations applications is adequately protected. Applications can be acquired through internal development, outsourcing or purchasing a commercial product. Applications can also be acquired through a combination of these approaches which might introduce new security implica
46、tions that should be considered and managed. Examples of applications are human resource systems, finance systems, word-processing systems, customer management systems, firewalls, anti-virus systems and intrusion detection systems. Throughout its life cycle, a secure application exhibits prerequisit
47、e characteristics of software quality, such as predictable execution and conformance, as well as meeting security requirements from a development, management, technological infrastructure, and audit perspective. Security-enhanced processes and practicesand the skilled people to perform themare requi
48、red to build trusted applications that do not increase risk exposure beyond an acceptable or tolerable level of residual risk and support an effective ISMS. Additionally, a secure application takes into account the security requirements stemming from the type of data, the targeted environment (busin
49、ess, regulatory and technological contexts), the actors and the application specifications. It should be possible to obtain evidence that is shown to demonstrate that an acceptable (or tolerable) level of residual risk has been attained and is being maintained. 0.2 Purpose The purpose of ISO/IEC 27034 is to assist organizations in integrating security seamlessly throughout the life cycle of their applications by: a) providing concepts, pri
