Application security in the ISO27001:2013 Environment
4/5
()
About this ebook
Application Security in the ISO 27001:2013 Environment explains how organisations can implement and maintain effective security practices to protect their web applications – and the servers on which they reside – as part of a wider information security management system by following the guidance set out in the international standard for information security management, ISO 27001.
The book describes the methods used by criminal hackers to attack organisations via their web applications and provides a detailed explanation of how you can combat such attacks by employing the guidance and controls set out in ISO 27001.
Product overview
- Second edition, updated to reflect ISO 27001:2013 as well as best practices relating to cryptography, including the PCI SSC’s denigration of SSL in favour of TLS.
- Provides a full introduction to ISO 27001 and information security management systems, including implementation guidance.
- Describes risk assessment, management and treatment approaches.
- Examines common types of web app security attack, including injection attacks, cross-site scripting, and attacks on authentication and session management, explaining how each can compromise ISO 27001 control objectives and showing how to test for each attack type.
- Discusses the ISO 27001 controls relevant to application security.
- Lists useful web app security metrics and their relevance to ISO 27001 controls.
- Provides a four-step approach to threat profiling, and describes application security review and testing approaches.
- Sets out guidelines and the ISO 27001 controls relevant to them, covering:
- input validation
- authentication
- authorisation
- sensitive data handling and the use of TLS rather than SSL
- session management
- error handling and logging
- Describes the importance of security as part of the web app development process
Vinod Vasudevan
Vinod Vasudevan, CISSP, is the Director of Managed Risk Services at Paladion. He is the co-author of Enhancing Computer Security with Smart Technology, published by Auerbach. Prior to co-founding Paladion, Vinod worked with Microsoft.
Related to Application security in the ISO27001:2013 Environment
Related ebooks
ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5An Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO27001:2013 Assessments Without Tears Rating: 3 out of 5 stars3/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsISO/IEC 27001:2022: An introduction to information security and the ISMS standard Rating: 5 out of 5 stars5/5Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Managing Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5Information Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5CISSP For Dummies Rating: 4 out of 5 stars4/5We Need To Talk: 52 Weeks To Better Cyber-Security Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsISO27001 in a Windows Environment: The best practice implementation handbook for a Microsoft Windows environment Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratings
Security For You
How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701 Rating: 0 out of 5 stars0 ratingsThe Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 5 out of 5 stars5/5How Not To Use Your Smartphone Rating: 5 out of 5 stars5/5Cybersecurity All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsCodes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5How to Hack Like a GOD: Master the secrets of hacking through real-life hacking scenarios Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsThe Invisibility Toolkit Rating: 5 out of 5 stars5/5Codes and Ciphers Rating: 5 out of 5 stars5/5Blockchain Basics: A Non-Technical Introduction in 25 Steps Rating: 4 out of 5 stars4/5
Reviews for Application security in the ISO27001:2013 Environment
2 ratings0 reviews
Book preview
Application security in the ISO27001:2013 Environment - Vinod Vasudevan
Resources
CHAPTER 1: INTRODUCTION TO THE INTERNATIONAL INFORMATION SECURITY STANDARDS ISO27001 AND ISO27002
What is information security?
It is a truism to say that information is the currency of the information age. Information is, in many cases, the most valuable asset possessed by an organisation, even if that information has not been subject to a formal and comprehensive valuation.
IT governance is the discipline that deals with the structures, standards and processes that boards and management teams apply to effectively manage, protect and exploit their organisations’ information assets.
Information security management is the subset of IT governance that focuses on protecting and securing an organisation’s information assets. The international standard ISO27000 defines information security as the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved
.
Reasons to implement an information security management system (ISMS)
There are, broadly, four reasons for an organisation to implement an ISMS:
Strategic: a government or parent company requirement, or a strategic board decision, to better manage its information security within the context of its overall business risks.
Customer confidence: the need to demonstrate to one or more customers that the organisation complies with information security management best practice, or the opportunity to gain a competitive edge over its competitors, in both customer and supplier relationships.
Regulatory: the desire to meet various statutory and regulatory requirements, particularly around computer misuse, data protection and personal privacy.
Internal effectiveness: the desire to manage information more effectively within the organisation.
Although not explicitly stated in ISO27001, it should be remembered that while all four of these reasons for adopting an ISMS are good, having an ISO27001-compliant ISMS will not automatically confer immunity from legal obligations. The organisation will have to ensure that it understands the range of legislation and regulation with which it must comply, ensure that these requirements are reflected in the ISMS as it is developed and implemented, and then ensure that the ISMS works as designed.
The ISMS and regulation
Regulations and the law in each of the areas mentioned above are still evolving; they are sometimes poorly drafted, often contradictory (particularly between jurisdictions) and have little or no case law to provide guidance for organisations in planning their compliance efforts. It can be difficult for organisations to identify specific methods for complying with individual laws. In these circumstances, implementation of a best practice ISMS may support a defence in court that the management did everything that was reasonably practicable for it to do in meeting its legal and regulatory requirements. Of course, every organisation would have to take its own legal advice on issues such as this, and neither this book nor these authors provide guidance of any sort on this issue.
ISO/IEC 27001:2013 (‘ISO27001’ or ‘the Standard’)
Published by the International Organization for Standardization (ISO), this is the most recent, most up-to-date, international version of a standard specification for an information security management system. It is vendor-neutral and technology-independent. It is designed for use in organisations of all sizes (intended to be applicable to all organisations, regardless of type, size and nature
¹) and in every sector (e.g. commercial enterprises, government agencies, not-for-profit organisations), anywhere in the world. It is a management system, not a technology specification and this is reflected in its formal title, which is Information technology – Security techniques – Information security management systems – Requirements. ISO27001 is also the first of a series of international information security standards, all of which have ISO2700X numbers.
ISO/IEC 27001:2013 is a specification for an ISMS. It sets out requirements and uses words like ‘must’ and ‘shall’. One mandatory requirement is that controls determined during the information security risk treatment should be compared with those in Annex A [to] verify that no necessary controls have been omitted
.² Annex A to ISO/IEC 27001:2013 lists the 114 controls that are in ISO/IEC 27002:2013, follows the same numbering system as that standard and uses the same words and definitions.
As Annex A of ISO27001 states, The control objectives and controls listed [below] are directly derived from and aligned with those listed in ISO/IEC 27002:20013
.³ ISO27002 provides substantial implementation guidance on how individual controls should be approached. Anyone implementing an ISO27001 ISMS will need to study both ISO27001 and ISO27002.
While ISO27001 mandates the use of ISO27002 as a source of guidance on controls, control selection and control implementation, it does not limit the organisation’s choice of controls to those in ISO27002. Clause 6.1.3 c) of ISO27001states:
The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
ISO/IEC 27002:2013 (‘ISO27002’)
This standard is titled Information technology – Security techniques – Code of practice for information security controls. Published in September 2013, it replaced ISO/IEC 27002:2005, which has now been withdrawn. Prior to this, until August 2007, it was designated ISO17799.
ISO/IEC 27002:2013 is a code of practice. It provides guidance and uses words like ‘may’ and ‘should’. It provides an internationally accepted framework for best practice in information security management and systems interoperability. It also provides guidance on how to implement an ISMS capable of certification, to which an external auditor could refer. It does not provide the basis for an international certification scheme.
Definitions
The definitions used in both standards are standardised within ISO/IEC 27000. This ensures that consistent definitions are available for all ISO2700X standards.
Risks to information assets
An asset is defined in ISO27000 as anything that has value to the organisation
. Information assets are subject to a wide range of threats, both external and internal, ranging from the random to the highly specific. Risks include acts of nature, fraud and other criminal activity, user error and system failure. Information risks can affect one or more of the three fundamental attributes of an information asset, its:
availability
confidentiality
integrity.
These three attributes, commonly known as the ‘security triad’, are defined in ISO27000 as follows:
availability: the property of being accessible and usable upon demand by an authorised entity
, which allows for the possibility that information has to be accessed by software programs as well as human users;
confidentiality: the property that information is not made available or disclosed to unauthorised individuals, entities, or processes
;
integrity: the property of protecting the accuracy and completeness of assets
(i.e. preventing unauthorised changes, whether malicious or accidental).
Information Security Management System
ISO27000 defines an ISMS as:
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
An ISMS exists to preserve confidentiality, integrity and availability. It secures the confidentiality, availability and integrity of the organisation’s information and information assets, and its most critical information assets are those for which all three attributes are important.
Relationship between the standards
The working relationship between ISO27001 and ISO27002 needs to be very clear, as ISO27001 relies to such a substantial extent on ISO27002 that it mandates its use.
The link between the two standards was created in 1999, when BS7799 was first published as a two-part standard:
Part 1 was a code of practice.
Part 2 was a specification for an ISMS that deployed controls selected from the code of practice.
The original Part 2 specified, in the main body of the Standard, the same set of controls that were described, in far greater detail (particularly with regard to implementation) in Part 1. These controls were later removed from the main body of Part 2 and listed in an annex, Annex A.
This relationship continues today, between the specification for the ISMS that is contained in one part of the combined standard, and the detailed guidance on the information security controls that should be considered in developing and implementing the ISMS and which are contained in the other part of the combined standard. The addition of further standards in the ISO2700x series has not changed this fundamental relationship between ISO27001 and ISO27002; rather, it has expanded the range of guidance in ISO27002 to refer to those other standards where relevant.
Specification compared to a code of practice
ISO/IEC 27001:2013 is a specification for an ISMS. It uses words like ‘shall’. It sets out requirements.
A code of practice or a set of guidelines uses words like ‘should’ and ‘may’, allowing individual organisations to choose which elements of the standard to implement, and which not. A specification does not provide any such latitude.
Any organisation that implements an ISMS that it wishes to have assessed against ISO/IEC 27001 will have to follow the specification contained in the Standard.
As a general rule, organisations implementing an ISMS based on ISO/IEC 27001:2013 will do well to pay close attention to the wording of the Standard itself, and to be aware of any revisions to it. Non-compliance with any official revisions, which usually occur on a three-year and a five-year cycle, will jeopardise an existing certification.
ISO27001 itself is what an ISMS will be assessed against; where there is any conflict between advice provided in this or any other guide to implementation of ISO27001 and the Standard itself, it is the wording in the Standard that should be heeded.
An external certification auditor assesses the ISMS against the published Standard, not against the advice provided by this book, a sector scheme manager, a consultant or any other third party. It is critical that those responsible for the ISMS should be able to refer explicitly to its clauses and intent and should be able to defend any implementation steps they have taken against the Standard itself.
An appropriate first step is to read ISO/IEC 27001:2013. Copies can be purchased from the ISO website, from national standards bodies and from www.itgovernance.co.uk. There is a choice of hard copy and downloadable versions to suit individual needs.
The ISMS
An ISMS – which the Standard is clear includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources
⁴ – is a structured, coherent management approach to information security which is designed to ensure the effective interaction of the three key components of implementing an information security policy:
process (or procedure)
technology
user behaviour.
The Standard states that the design and implementation of an ISMS is directly influenced by each organisation’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization.
⁵
ISO27001 is not a one-size-fits-all solution, nor was it ever seen as a static, fixed entity that interferes with the growth and development of the business. The Standard explicitly recognises that:
the ISMS will be scaled in accordance with the needs of the organisation
the influencing factors will change over time
and the ISMS will change to reflect this.
ISO27001 as a model for the ISMS
In the simple terms of the Standard, ISO27001 is a useful model for establishing, implementing, maintaining and continually improving an information security management system
.⁶ It is a model that can be applied anywhere in the world and understood anywhere in the world. It is consistent, coherent, contains the assembled best practice, experience and expertise gathered from implementations throughout the world over the last ten years, and it is technology-neutral. It is designed for implementation in any hardware or software environment.
As noted earlier, having an ISO27001-compliant ISMS will not automatically confer immunity from legal obligations. The organisation will have to ensure that it understands the range of legislation and regulation with which it must comply, and ensure that these requirements are reflected in its ISMS.
¹ ISO/IEC 27001:2013, Scope 1.
² ISO/IEC 27001:2013, 6.1.3 c) Information security risk treatment.
³ ISO/IEC 27001:2013, Annex A.
⁴ ISO/IEC27000:2012, 2.34 Note.
⁵ ISO/IEC27001:2013, Introduction, 0.1 General.
⁶ All three quotations are from ISO/IEC27001:2013, Introduction, 0.1 General.
CHAPTER 2: THE ISO27001 IMPLEMENTATION PROJECT
The successful design, development and implementation of an ISMS in line with the requirements of ISO27001 is a significant project. There are a number of important aspects to such a project, all of which are developed in detail in IT Governance: An International Guide to ISO27001/ISO27002. A project team will need to be set up and it will need the full support of management.
PDCA/Management methods
Previously, ISO27001 mandated the use of the Plan-Do-Check-Act (PDCA) model to create a compliant ISMS. The 2013 update, however, allows for the use of either PDCA or comparable continual improvement management methods such as ITIL® or COBIT® 5. Under the PDCA model, an organisation ‘Plans’ what it is going to do, carries out those plans, i.e. ‘Do’ it, ‘Checks’ that what they have done has achieved the desired objective, and then ‘Acts’ on any shortfall. For ISO27001, that would put the following tasks in each of the P-D-C-A stages:
Plan (establish the ISMS): establish the scope, security policy, targets, processes and procedures relevant to assessing risk and carry out risk assessment in order to improve information security so that it delivers results in accordance with the organisation’s overall policies and objectives.
Do (implement and operate the ISMS): implement and operate the security policy, and the controls that were chosen as a result of the risk assessment process, as well as the processes and procedures of the ISMS.
Check (monitor and review the ISMS): assess and, where applicable, measure process performance against security policy, objectives and practical experience, and report the results to management for review. This will include measuring