1、BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06 Information technology Security techniques Application security Part 6: Case studies BS ISO/IEC 270346:2016Information technology Security techniques Application security Part 6: Case studies Technologies de linformat
2、ion Techniques de scurit Scurit des applications Partie 6: tudes de cas INTERNATIONAL STANDARD ISO/IEC 27034-6 Reference number ISO/IEC 27034-6:2016(E) First edition 2016-10-01 ISO/IEC 2016 National foreword This British Standard is the UK implementation of ISO/IEC 270346:2016. The UK participation
3、in its preparation was entrusted by Technical Committee IST/33, IT Security techniques, to Subcommittee IST/33/4, Security Controls and Services. A list of organizations represented on this subcommittee can be obtained on request to its secretary. This publication does not purport to include all the
4、 necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016 Published by BSI Standards Limited 2016 ISBN 978 0 580 80086 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Stan
5、dard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 270346:2016Information technology Security techniques Application security Part 6: Case studies Tec
6、hnologies de linformation Techniques de scurit Scurit des applications Partie 6: tudes de cas INTERNATIONAL STANDARD ISO/IEC 27034-6 Reference number ISO/IEC 27034-6:2016(E) First edition 2016-10-01 ISO/IEC 2016 BS ISO/IEC 270346:2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT
7、ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written
8、permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27034
9、-6:2016(E) BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 1 5 S ecurity guidanc e for specific applications 1 5.1 General . 1 5.2 ASC example: Java code revision for mobile applications 2
10、5.2.1 General 2 5.2.2 Purpose 2 5.2.3 Context 2 5.2.4 ORGANIsation Information classification guidelines . 2 5.2.5 Levels of trust included in the ORGANIsation ASC Library . 2 5.2.6 Outcome 3 5.2.7 ORGANIsation stakeholders involved in these ASCs . 4 5.2.8 Descriptions of sample ASCs . 6 5.3 Case st
11、udy: Developing ASCs to address the issue of privacy for two countries 19 5.3.1 General.19 5.3.2 Purpose .19 5.3.3 Context .19 5.4 Case study: Integration of third-party ASCs .21 5.4.1 General.21 5.4.2 Purpose .21 5.4.3 Context .21 5.5 Case study: Using the ASLCRM to facilitate implementation of ASC
12、s by different development groups inside an organization 24 5.5.1 General.24 5.5.2 Purpose .24 5.5.3 Context .24 5.6 Case study: Implementation of third-party ASCs in a secure development life cycle process 26 5.6.1 General.26 5.6.2 Purpose .26 5.6.3 Context .26 5.6.4 Preparation phase (1.00) .27 5.
13、6.5 Requirements phase (2.00) .30 5.6.6 Design phase (3.00) . .31 5.6.7 Implementation phase (4.00) 34 5.6.8 Verification phase (5.00)36 5.6.9 Release phase (6.00)37 5.6.10 Sustainment, support and servicing phase (7.00) .38 Annex A (informative) XML examples for case studies in 5.2 41 Bibliography
14、.70 ISO/IEC 2016 All rights reserved iii Contents Page BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies t
15、hat are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other inter
16、national organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its
17、 further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directiv
18、es). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be i
19、n the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions
20、related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information tec
21、hnology, SC 27, IT Security techniques. A list of all parts in the ISO/IEC 27034 series can be found on the ISO website.iv ISO/IEC 2016 All rights reserved BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Introduction 0.1 General There is an increasing need for organizations to focus on protecting the
22、ir information at the application level. A systematic approach towards increasing the level of application security provides an organization with evidence that information being used or stored by its applications is being adequately protected. ISO/IEC 27034 (all parts) provides concepts, principles,
23、 frameworks, components and processes to assist organizations in integrating security seamlessly throughout the life cycle of their applications. The application security control (ASC) is one of the key components of this document. To facilitate the implementation of ISO/IEC 27034 (all parts) applic
24、ation security framework and the communication and exchange of ASCs, a formal structure should be defined for representing ASCs and certain other components of the framework. 0.2 Purpose The purpose of this document is to provide examples of security guidance for organizations to acquire, develop, o
25、utsource and manage security for their specific applications through their life cycle. 0.3 Targeted Audiences 0.3.1 General The following audiences will find values and benefits when carrying their designated organizational roles: a) domain experts. 0.3.2 Domain experts Domain experts contributing k
26、nowledge in application provisioning, operating or auditing, who need to a) participate in ASC development, validation and verification, b) participate in ASC implementation and maintenance, by proposing strategies, components and implementation processes for adapting ASCs to the organizations conte
27、xt, and c) validate that ASCs are useable and useful in application projects. ISO/IEC 2016 All rights reserved v BS ISO/IEC 270346:2016BS ISO/IEC 270346:2016 Information technology Security techniques Application security Part 6: Case studies 1 Scope This document provides usage examples of ASCs for
28、 specific applications. NOTE Herein specified ASCs are provided for explanation purposes only and the audience is encouraged to create their own ASCs to assure the application security. 2 Normative references There are no normative references cited in this document. 3 T erms a nd definiti ons For th
29、e purposes of this document, the terms and definitions given in ISO/IEC 27034-1 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /
30、www.iso.org/obp 4 Abbreviated terms ASC application security control ASLC application security life cycle ASLCRM application security life cycle reference model ONF organization normative framework 5 S ecurity guidanc e for specific applicatio ns 5.1 General Guidelines play an important role for com
31、panies trying to implement any best practice or ISO standard because they instruct how to institutionalize the practices or rules and, sometimes, the guidance is based on common examples. Companies benefit from this guidance as it demonstrates, as a practical example, how to structure ASCs for speci
32、fic applications using the recommended XML data structure defined in ISO/IEC 27034-5-1 and for the implementation of the Organizational Normative Framework. INTERNATIONAL ST ANDARD ISO/IEC 27034-6:2016(E) ISO/IEC 2016 All rights reserved 1 BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) 5.2 ASC examp
33、le: Java code revision for mobile applications 5.2.1 General Code review seams trivial but when an application is built from thousands of lines of code, it may be unproductive and/or too expensive to revise everything. This example presents an ASC designed by a fictive organization called ORGANIsati
34、on Inc. This ASC implements the security activity of code review. 5.2.2 Purpose The purpose of 5.2 is to provide an intuitive description of an example ASC named “Code Review” for an organization developing Java mobile applications. For the sake of brevity and readability, a simplified subset of the
35、 ASC is presented in English only (language=”EN”), but the ASC requirements defined in ISO/IEC 27034-5 allows any object in an ASC to be described in any characters sets, as presented by the Table A.1. 5.2.3 Context ORGANIsation Inc. is an international organization developing Java mobile applicatio
36、ns for its own use and on behalf of its clients. ORGANIsation software development offices are located in Montreal, Vancouver and Moscow. For this reason, ORGANIsations policy is that any development documentation, guideline or training should be available in English, French and Russian languages. O
37、RGANIsations implementation strategy for ISO/IEC 27034 (all parts) prioritizes the design of ASCs for reducing security vulnerabilities in Java mobile code. The ORGANIsation ONF committee mandates the Application Security Department (ASD) to design and submit Java code review ASCs. 5.2.4 OR G ANIsat
38、ion Information classification gu idelines ORGANIsation utilizes approved internal classification guidelines for classifying the information into four levels: a) restricted; b) confidential; c) secret; d) top secret. 5.2.5 Levels of trust included in the ORGANIsation ASC Library ORGANIsation had pre
39、viously conducted an organization-wide security risk assessment, for the purpose of which it divided its applications into six categories according to their impact on organizational risk. Following this, domain experts mandated by the ONF committee decided to use those six categories as a template f
40、or defining ORGANIsations application levels of trust. An informal definition along with a descriptive label for each level of trust is given in Table 1.2 ISO/IEC 2016 All rights reserved BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Table 1 ORGANIsations application levels of trust Level of trust
41、Name Description 0 Baseline All ORGANIsations applications shall comply with this Level of Trust. 1 Isolated Local network only This Level of Trust is appropriate for applications used on isolated corporate networks, with no connection to external networks. 2 Low Internet, public information only Th
42、is Level of Trust is appropriate for Internet-facing applications sharing public information without any privacy concern. 3 Medium Internet, corpo- rate users This Level of Trust is appropriate for Internet-facing, transactional applications used by corporate users, allowing access to corporate serv
43、ices, user files and/or transactions under $5 000. 4 High Secure transactions and privacy protection over Internet This Level of Trust is appropriate for Internet-facing, transactional applications, used by corporate users, allowing access to user pri- vate information and/or transactions from $5 00
44、0 to $25 000. 5 Private This Level of Trust is appropriate for transactional applications requiring highly secure transactions, privileged access and/or se- cure critical storage. Access to critical information and/or transac- tions over $25 000 is authorized. 5.2.6 Outcome The application security
45、department was mandate to select and acquire an automatic source code review tool suitable for the Java language, with user-configurable review rules. After analysis of vendor propositions, the department selected a tool named “Efficient-Reviewer version 2.2”. At the end of this project, version 1.0
46、 of five ASCs were developed and implemented. Table 2 ORGANIsations ASCs for code review ID Name Level of trust Description ORGANIsa- tion-ASD-042 Code Review Baseline Isolated Local network only This ASC is used to help developers to perform a code review control for JAVA applications. Low Internet
47、, public information only Medium Internet, corporate users High Secure transactions and privacy protection over Internet Private ORGANIsa- tion-ASD-043 Code Classification Baseline Isolated Local network only Classify all Java classes in the packages needed by the application. Low Internet, public i
48、nformation only Medium Internet, corporate users Any class should inherit its classification from the highest-classi- fied information it processes. High Secure transactions and privacy protection over Internet Private ISO/IEC 2016 All rights reserved 3 BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E)
49、 ID Name Level of trust Description ORGANIsa- tion-ASD-044 Basic Automatic Code Review Baseline Isolated Local network only Low Internet, public information only This ASC is used to help developers to implement a code review control for Java applications by providing an automatic source code security review process for Java classes classified as “Strate- gic” and “Critical”. ORGANIsa- tion-ASD-045 Advanced Automatic Code R
