Book description
As conduits of critical business data, it's vital that your software packages are adequately secured. The de-facto standard on application security, this book is your step-by-step guide to securing your software applications within a best practice ISO/IEC 27001 and PCI environment.
Table of contents
- Copyright
- Preface
-
1. Introduction to the International Information Security Standards ISO27001 and ISO27002
- What is information security?
- The ISMS and regulation
- ISO/IEC27001:2005 (‘ISO27001’ or ‘the Standard’)
- ISO/IEC27002:2005 (‘ISO27002’)
- Definitions
- Risks to information assets
- Information Security Management System
- Relationship between the standards
- Specification compared to a Code of Practice
- The ISMS
- ISO27001 as a model for the ISMS
-
2. The ISO27001 Implementation Project
- PDCA cycle
- Project team
- Demonstrating management commitment
- Project team/steering committee
- Information security co-ordination
- Project initiation
- Awareness
- Awareness tools
- Documentation requirements and record control
- ISO27001 document control requirements
- Annex A document controls
- Document approval
- Contents of the ISMS documentation
- Record control
- Documentation process and toolkits
- 3. Risk Assessment
- 4. Introduction to Application Security Threats
-
5. Application Security and ISO27001
- A.12.1.1 Security requirements analysis and specifications
- A.12.5.1 Change control procedures
- A.12.5.2 Technical review of applications after operating system changes
- A.12.5.3 Restrictions on changes to software packages
- A.12.5.5 Outsourced software development
- A.10.1.3 Segregation of duties
- A.10.1.4 Separation of development, test and operational facilities
- A.10.3.2 System Acceptance
- A.12.4.2 Protection of system test data
- A.12.4.3 Access control to program source code
- A.12.2.1 Input validation
- A.12.2.2 Control of internal processing, and A.12.2.4 Output data validation
- A.12.2.3 Message integrity
- A.11.6.1 Information access restriction
- A.11.2.2 Privilege management
- A.11.2.4 Review of user access rights
- A.11.6.2 Sensitive system isolation
- A.11.2.1 User registration
- A.11.2.3 Password management
- A.11.5.3 Password management system
- A.11.5.4 Use of system utilities
- A.11.5.5 Session time out
- A.11.5.6 Limitation of connection time
- A.10.10.1 Audit logging
- A.10.10.2 Monitoring system use
- A.10.10.3 Protection of log information
- A.10.10.4 Administrator and operator logs
- A.15.2.2 Technical compliance checking
- A.10.9.1 Electronic commerce
- A.10.9.2 Online transactions
- A.10.9.2 Publicly available information
- Security metrics
-
Bibliography
- 6. Attacks on Applications
- 7. Secure Development Lifecycle
- 8. Threat Profiling and Security Testing
-
9. Secure Coding Guidelines
- Input validation guidelines (ISO27001 A.12.2.1)
-
Authentication guidelines (ISO27001 A.11.5.2)
-
Defend against password guessing
- Enforce strong passwords (ISO27001 A.11.5.3)
- Enforce account lockouts (ISO27001 A.11.5.1)
- Use CAPTCHAs
- Implement a secure ‘Remember me’ feature
- Never store passwords in cookies
- Demand the password before critical operations
- Implement a secure ‘forgot password’ feature
- Implement a secure ‘change password’ feature
- Protect against ‘browser refresh’
- Safe usage
-
Defend against password guessing
- Guidelines for handling sensitive data (ISO27001 A.10.7.3)
- Session management guidelines
- Error handling and logging (ISO27001 A.10.10.5)
- Miscellaneous guidelines
- ITG Resources
Product information
- Title: Application Security in the ISO27001 Environment
- Author(s):
- Release date: April 2008
- Publisher(s): IT Governance Publishing
- ISBN: 9781905356355
You might also like
book
The Ransomware Threat Landscape
Ransomware will cost companies around the world $20 billion in 2021. Prepare for, recognise and survive …
book
Platform Embedded Security Technology Revealed : Safeguarding the Future of Computing with Intel Embedded Security and Management Engine
is an in-depth introduction to Intel's platform embedded solution: the security and management engine. The engine …
book
Serverless Security
Serverless is taking the cloud native world by storm. This new approach promises extraordinary value, from …
book
Information Security Breaches: Avoidance and Treatment Based on ISO27001, 2nd Edition
What if you suffer an information security breach? Many titles explain how to reduce the risk …