SlideShare une entreprise Scribd logo

ISO/IEC 27034 Application Security – How to trust, without paying too much!

PECB
PECB

This series of standard offers a new vision, new principles, and elements that will facilitate application security planning, implementation, management and repeatable verification. In this webinar, you will hear how a Lead Implementer should select and adjust them taking account of business, legal and technological contexts, priorities and its organization's limited resources. Mr. Luc Poulin has more than thirty years of experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP CSSLP CISM CISA CASLI , CASLA and currently working as CEO- Information / Application Security Senior Advisor at Cogentas Inc. Link of the recorded session published on YouTube: https://youtu.be/Saba09xOcVI

Formation
1  sur  29
– Luc PoulinApplication Security Institute
– Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
– Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
– Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
– Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
– Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
– Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
– Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
– Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
– Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
– Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
– Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
– Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
– Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
– Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
– Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
– Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
– Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
– Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
– Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin

Recommandé

ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
ControlCase
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Recommandé

ISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber SecurityISO/IEC 27032 – Guidelines For Cyber Security
ISO/IEC 27032 – Guidelines For Cyber Security
Tharindunuwan9
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
ControlCase
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Fortinet k
Fortinet kFortinet k
Fortinet k
mrehan2k2
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: Standards
National Information Standards Organization (NISO)
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001
PECB
 

Contenu connexe

Tendances

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 

Tendances (20)

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
Fortinet k
Fortinet kFortinet k
Fortinet k
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 

En vedette

An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001
PECB
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
PECB
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
PECB
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015
PECB
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
PECB
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
PECB
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015
PECB
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
PECB
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
PECB
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
Luigi Buglione
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 

En vedette (18)

NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: Standards
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
ISO/NISO
ISO/NISOISO/NISO
ISO/NISO
 
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processes
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much!

Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
Ishita Kundu
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
jamesholler
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
PECB
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
Ishita Kundu
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
Ishita Kundu
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
evatjohnson
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
Intland Software GmbH
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much! (20)

ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” model
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
 

Plus de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 

Plus de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Dernier

SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
CaitlinCummins3
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
中 央社
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
expandedwebsite
 
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading RoomImplanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
Sean M. Fox
 
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
Krashi Coaching
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Denish Jangid
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
saipooja36
 

Dernier (20)

The Ball Poem- John Berryman_20240518_001617_0000.pptx
The Ball Poem- John Berryman_20240518_001617_0000.pptxThe Ball Poem- John Berryman_20240518_001617_0000.pptx
The Ball Poem- John Berryman_20240518_001617_0000.pptx
 
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
SURVEY I created for uni project research
SURVEY I created for uni project researchSURVEY I created for uni project research
SURVEY I created for uni project research
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
 
PSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptxPSYPACT- Practicing Over State Lines May 2024.pptx
PSYPACT- Practicing Over State Lines May 2024.pptx
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
Chapter 7 Pharmacosy Traditional System of Medicine & Ayurvedic Preparations ...
Chapter 7 Pharmacosy Traditional System of Medicine & Ayurvedic Preparations ...Chapter 7 Pharmacosy Traditional System of Medicine & Ayurvedic Preparations ...
Chapter 7 Pharmacosy Traditional System of Medicine & Ayurvedic Preparations ...
 
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading RoomImplanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
Implanted Devices - VP Shunts: EMGuidewire's Radiology Reading Room
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
MSc Ag Genetics & Plant Breeding: Insights from Previous Year JNKVV Entrance ...
 
Improved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio AppImproved Approval Flow in Odoo 17 Studio App
Improved Approval Flow in Odoo 17 Studio App
 
Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17
 
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING IIII BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
II BIOSENSOR PRINCIPLE APPLICATIONS AND WORKING II
 
How to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 InventoryHow to Manage Closest Location in Odoo 17 Inventory
How to Manage Closest Location in Odoo 17 Inventory
 
Benefits and Challenges of OER by Shweta Babel.pptx
Benefits and Challenges of OER by Shweta Babel.pptxBenefits and Challenges of OER by Shweta Babel.pptx
Benefits and Challenges of OER by Shweta Babel.pptx
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
 
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
Envelope of Discrepancy in Orthodontics: Enhancing Precision in Treatment
 

ISO/IEC 27034 Application Security – How to trust, without paying too much!

  • 1. – Luc PoulinApplication Security Institute
  • 2. – Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
  • 3. – Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
  • 4. – Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
  • 5. – Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
  • 6. – Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
  • 7. – Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
  • 8. – Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
  • 9. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
  • 10. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
  • 11. – Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
  • 12. – Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
  • 13. – Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
  • 14. – Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
  • 15. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
  • 16. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
  • 17. – Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
  • 18. – Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
  • 19. – Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
  • 20. – Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
  • 21. – Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
  • 22. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
  • 23. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
  • 24. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
  • 25. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
  • 26. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
  • 27. – Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
  • 28. – Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
  • 29. – Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin