Book description
Web application security as part of an ISO 27001-compliant information security management system
Web application vulnerabilities are a common point of intrusion for cyber criminals. As cybersecurity threats proliferate and attacks escalate, and as applications play an increasingly critical role in business, organizations urgently need to focus on web application security to protect their customers, their interests, and their assets.
Although awareness of the need for web application security is increasing, security levels are nowhere near enough: according to the 2015 Trustwave Global Security Report, 98% of tested web applications were vulnerable to attack.
SMEs in particular should be very concerned about web application security: many use common, off-the-shelf applications and plugins – such as Internet Explorer, Java, Silverlight, and Adobe Reader and Flash Player – which often contain exploitable vulnerabilities.
Application Security in the ISO 27001:2013 Environment explains how organizations can implement and maintain effective security practices to protect their web applications – and the servers on which they reside – as part of a wider information security management system by following the guidance set out in the international standard for information security management, ISO 27001.
The book describes the methods used by criminal hackers to attack organizations via their web applications and provides a detailed explanation of how you can combat such attacks by employing the guidance and controls set out in ISO 27001.
Product overview
Second edition, updated to reflect ISO 27001:2013 as well as best practices relating to cryptography, including the PCI SSC’s denigration of SSL in favour of TLS.
Provides a full introduction to ISO 27001 and information security management systems, including implementation guidance.
Describes risk assessment, management, and treatment approaches.
Examines common types of web app security attack, including injection attacks, cross-site scripting, and attacks on authentication and session management, explaining how each can compromise ISO 27001 control objectives and showing how to test for each attack type.
Discusses the ISO 27001 controls relevant to application security.
Lists useful web app security metrics and their relevance to ISO 27001 controls.
Provides a four-step approach to threat profiling, and describes application security review and testing approaches.
Sets out guidelines and the ISO 27001 controls relevant to them, covering:
input validation
authentication
authorization
sensitive data handling and the use of TLS rather than SSL
session management
error handling and logging
Describes the importance of security as part of the web app development process
Table of contents
- Cover
- Title
- Copyright
- Preface
- About The Authors
- Acknowledgements
- Contents
- Chapter 1: Introduction to the International Information Security Standards ISO27001 and ISO27002
- Chapter 2: The ISO27001 Implementation Project
- Chapter 3: Risk Assessment
- Chapter 4: Introduction to Application Security Theats
- Chapter 5: Application Security and ISO27001
- Chapter 6: Attacks on Applications
- Chapter 7: Secure Development Lifecycle
- Chapter 8: Threat Profiling and Security Testing
- Chapter 9: Secure Coding Guidelines
- ITG Resources
Product information
- Title: Application Security in the ISO 27001:2013 Environment
- Author(s):
- Release date: October 2015
- Publisher(s): IT Governance Publishing
- ISBN: 9781849287692
You might also like
book
Core Software Security
Introducing users to existing software development life cycle (SDLC) models, this book explains their weakness and …
book
Mastering Windows Security and Hardening
Enhance Windows security and protect your systems and servers from various cyber attacks Key Features Protect …
book
Shifting Left for Application Security
Security is a paramount concern for developers, operations and security engineers, and company CISOs alike. Security …
book
Securing the Perimeter: Deploying Identity and Access Management with Free Open Source Software
Leverage existing free open source software to build an identity and access management (IAM) platform that …