ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4)
Business and IT managers, developers and auditors, and ultimately end-users of ICT, can follow ISO/IEC 27034 for guidance on security in IT systems specification, design, programming, procuring, implementing, and using. It aims to ensure that computer applications implement the desired security level to align with the organization’s Information Security Management System to address many ICT security issues.
Scope and objectives
The purpose of this multi-part standard is to guide organizations through identifying, designing, selecting, and establishing efficient information security controls designed and integrated into the Systems Development Life Cycle. It is process-oriented.
It includes software applications created internally, acquired from outside, outsourced/offshored or developed using a hybrid model.
From determining requirements for information security to protecting information accessed by a system, to preventing unauthorized action/use by the system, this standard covers it all.
This standard is SDLC-method-agnostic: It is not specific to any particular approach, process, or stage, but is written to apply to every approach, process, or stage. The approach complements existing standards and methods for system development without conflicting with them.
A key driving principle of this approach is that it’s worth investing more heavily in specifying, designing, developing, testing, and maintaining software security controls or functions; however, this will increase the chance of propagating vulnerabilities even more broadly than is otherwise the case. Simply put, “Do it right, do it once, and reuse it”. While it may seem idealistic, many farsighted organizations already use it successfully: the approach goes far beyond academic research.
ISO/IEC 27034-1:2011 – Information technology – Security techniques – Application security – Part 1 – Introduction
– Like many multipartite ISO27k standards, the introduction presents a general overview of the rest of the document;
– An 80-page document with lots of detail;
– This isn’t a tool for the creation of software applications, it’s not a method for organising software development projects, and it’s not a method to develop software development cycles. This document is meant to provide general guidance on application security for those areas, which will be supplemented by more detailed methods and standards in those other areas;
– Uses an explicit process-based approach to specify, design, develop, test, implement and maintain security functions and controls for application systems. Rather than understanding application security to be the security state of the system (the outcome of the process), it defines it as “the process that an organization can apply to its applications to manage the risk of using them”;
– Designing and building an application to meet a Targeted Level of Trust (like a security plan), and then validating that application against the trust level;
– Employs principles of auditing and certifying applications in a style similar to that of the Common Criteria and other similar schemes associated with government and military systems. Typically, the text emphasizes external adversaries’ deliberate threats, implying an imperative for confidentiality controls and neglecting insider or accidental threats, also necessary for integrity and availability, however, the process described ostensibly encompasses the full range of security risks;
– Status: Part 1 was published in 2011. A technical corrigendum published in 2014 included three minor corrections and a revised figure.
ISO/IEC 27034-2:2015 – Information technology – Security techniques – Application security – Part 2: Organization normative framework
– Provides information on the structure, relationship and interdependencies among processes in the Organization Normative Framework – a set of application security policy, procedure, role, and tool components;
– The standard assists organizations with designing, implementing, implementing, operating, and auditing their ONF;
– The system relies on a formal and bureaucratic approach, such as a committee overseeing the ONF, thus it may be appropriate for companies with highly structured approaches to securing application development;
– Status: A second part was published in 2015.
ISO/IEC 27034-3:2018 – Information technology – Security techniques – Application security – Part 3: Application security management process
– Outlines the Application Security Management Process, i.e. “the process of managing security in each application that an entity uses”;
– This part of the standard could be the most broadly applicable and useful;
– Status: Part 3 was released in 2018.
ISO/IEC 27034-4 – Information technology – Security techniques – Application security – Part 4: Application security validation (DRAFT)
A lot of discussions in this part will discuss the validation and certification process, which determines the level of trust each application has relative to its previously stated [information security] requirements;
– About 40 pages long with some detail;
– Status: Part 4 of the project was cancelled, then resurrected. It reached Draft International Standard status before being withdrawn once again at the end of 2020 due to resistance from CASCO – ISOs Committee on Conformity Assessment. Since 2021, the team has started again as a Preliminary Work Item, this time in collaboration with CASCO.
ISO/IEC 27034-5:2017 — Information technology — Security techniques — Application security — Part 5: Communications protocols and application security control data structure
– Describes the Application Security Control data structure, which includes requirements, descriptions, graphical representations, and XML schema. This XML schema is based on ISO/TS 15000: ebXML is a markup language designed to integrate business applications and systems;
– Part 5 defines a formal structure for ASCs and some of the other components of the ISO/IEC 27034 application security framework to facilitate their implementation;
– Part 5 permits the establishment of software libraries of reusable application security functions between organizations and within them;
– It defines basic characteristics of the Application Security Lifecycle Reference Model and ASCs;
– Status: Part 5 was released in 2017.
ISO/IEC TS 27034-5-1:2018 — Information technology — Security techniques — Application security — Part 5-1: Protocols and application security control data structure, XML schemas
– The XML schemas support the minimum set of information requirements for both ASCs and the activities and roles defined in the Application Security Life Cycle Reference Model in part 5.
– Status: Part 5 dashed 1 was published as a technical specification in 2018.
ISO/IEC 27034-6:2016 — Information technology — Security techniques — Application security — Part 6: Case studies
– Demonstrates how ASCs can be developed and documented, defining how information security should be handled during the software development process
– Status: Part 6 of this series was published in 2016.
ISO/IEC 27034-7:2018 — Information technology — Security techniques — Application security — Part 7: Assurance prediction framework
– Delivers an assurance framework to provide confidence that a computer program’s security arrangements are adequate, for instance, when one program (for example, an application) depends on another (for example, an application database management system, utility program, operating system, or a companion application) performing critical security operations (e.g., password authentication, logical access control or cryptography), or whenever an organization modifies a trusted program;
– Assists users in considering, determining/specifying, and documenting the trust or criticality (which in formal terms is known as “security predictability”) which can then be used to make reasonable decisions about how software is manufactured, delivered, managed, operated, and maintained;
– Describes the minimum requirements for relying on Prediction Application Security Rationale to replace the required activities specified by an Application Security Control. The ASCs mapped to the PASRs define the ELT for the subsequent application.
– PASRs can be used by project teams with an implementation normative framework and a trust-level-based original production.
– Status: Part 7 has been published in 2018.
– Commentary: The language in part 7 is very formal/stilted (For instance. “An application security claim is a claim that the application team implemented certain security controls and those controls mitigate specific security risks to an acceptable level. A security prediction is the transfer of confidence in the original claim to a claim that the same security controls are also present in a subsequent version of the application and mitigate, to the same acceptable level, the same specific security risks.” – Got it?).
It is hoped all parts of the standard will align with JTC 1/SC 17’s software engineering standards, and that its terminology will be aligned with ISO 31000 (hopefully).
It is an exceptional achievement to be able to create libraries of reusable, parameterized, well-engineered security functions, enabling widespread adoption of good security practices in software development.