This series of standard offers a new vision, new principles, and elements that will facilitate application security planning, implementation, management and repeatable verification. In this webinar, you will hear how a Lead Implementer should select and adjust them taking account of business, legal and technological contexts, priorities and its organization's limited resources.
Mr. Luc Poulin has more than thirty years of experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP CSSLP CISM CISA CASLI , CASLA and currently working as CEO- Information / Application Security Senior Advisor at Cogentas Inc.
Link of the recorded session published on YouTube: https://youtu.be/Saba09xOcVI
2. – Luc Poulin– Luc Poulin
Application Security Institute
Luc Poulin
CEO & Information / Application Security Senior Advisor
Mr. Luc Poulin has more than thirty years' experience in
computer science, during which he acquired a solid expertise in
IT systems and software engineering.
He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI,
27034ASLA and currently working as Information / Application
Security Senior Advisor at Cogentas Inc.
Contact Information
+1 418 473-4473
Information@cogentas.org www.cogentas.org
ca.linkedin.com/in/lucpoulin
3. – Luc Poulin– Luc Poulin
Application Security Institute
IT APPLICATIONS SECURITY
ISO/IEC 27034 – Application security
How to trust... without paying too much!
for PECB
November 8th 2016
Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA
CEO, ISO/IEC 27034 Project editor
4. – Luc PoulinApplication Security Institute
Plan
1. Context
2. ISO/IEC 27034 Application security
3. Key Elements and cost management strategies
4. Conclusion
4
5. – Luc PoulinApplication Security Institute
Context
▶ IT continues to evolve rapidly
New technologies, attacks, vulnerabilities, risks...
▶ Regulatory context evolves
New laws, regulations, regions…
▶ Business evolves
New business contexts, market sectors, needs,
opportunities and expectations
5
6. – Luc PoulinApplication Security Institute
Context
▶ We have tools
IT tools, standards, methods, best practices…
▶ We allocate resources
training, acquisition, hiring, audits…
▶ What is missing
to be confident in the security of an application...
Without paying too much?
to be able to declare an application secure?
6
7. – Luc PoulinApplication Security Institute
Context
▶ Information security becomes a major concern for
managers / administrators
▶ Organizations are having limited resources
▶ Every organization exists in a specific business
context
▶ Usually
the scope of the security of an application is not
adequately defined
organizations do not have the slightest idea of the
security of their applications
7
8. – Luc PoulinApplication Security Institute
Context – Concepts & definitions
▶ Information security (ISO/IEC 27000)
preservation of confidentiality, integrity and availability
of information
▶ Application security (ISO/IEC 27034)
preservation of confidentiality, integrity and availability
of information collected, processed, stored and
communicated by an application
▶ Information security is based on risk management
▶ Risk can not be eliminated but can only be mitigated
to an acceptable level
▶ Application security must be demonstrated
8
9. – Luc PoulinApplication Security Institute
ISO/IEC 27034 standards series
▶ ISO/IEC 27034 – Application Security
▶ Identifies
target audience
AS objectives, principles, concepts,
vision, scope, terms and definitions
▶ Specifies components, processes, and
AS framework on two levels :
organization
application
▶ Identify requirements as
recommendations:“should”
▶ Does not propose any security controls
▶ No certification available – in progress
10. – Luc PoulinApplication Security Institute
ISO/IEC 27034 standards serie
▶ ISO/IEC 27034 – Application Security
Part 1: Overview and concepts (2011)
Part 2: Organization normative
framework (2015)
Part 3: Application security
management process (2017)
Part 4: Application security
validation (2019)
Part 5: Protocols and application security
control data structure (2017)
Part 5-1: XML Schemas (2017)
Part 6: Case studies (2016)
Part 7: Assurance prediction framework (2017)
11. – Luc PoulinApplication Security Institute
▶ Four areas of intervention
▶ Each has:
Technology
Process
People
ISO/IEC 27034 – A new vision for AS
11
Verification
& control
(Conformity)
Security
Management
(Governance)
Application
& IT System
(Development
and Evolution)
Technology
(Acquisition,
Maintenance and
Contingency)
Critical
Information
12. – Luc PoulinApplication Security Institute
ISO/IEC 27034 – A new vision of AS
▶ 9 groups of information to protect
Group of information Application AS scope
Organization and user’s data
Application data
Roles and permissions
Application specifications
Technological context
Processes involving the application
Application life cycle processes
Regulatory context
Business context
13. – Luc PoulinApplication Security Institute
13
▶ Changing Perspective – Cost Management
Organization
ISO/IEC 27034 – A new vision for AS
Technology
People
Process
Information
Infrastructure
Software
ApplicationApplications Security
14. – Luc PoulinApplication Security Institute
Application Security Life Cycle Reference Model
Operation stages
Utilization and
maintenance
Archival DestructionDisposal
14
Actors
Role 1 Role 2 Role 3 Role 4 Role n
Provisioning stages
Preparation Realization Transition
Application
management
Application provisionning management Application operation management
Infrastructure
management
Application provisionning infrastructure management
Application operation
infrastructure management Disposal
Application
audit
Application provisioning audit Application operation audit
Layers
Application
provisionning
and operation
Preparation Utilization Archival Destruction
Outsourcing
Development
Acquisition
Transition
Key elements and cost management strategies
15. – Luc PoulinApplication Security Institute
Key elements and cost management strategies
▶ Risk management in AS
Impact = $$$
Sources of
Risk for AS
Technological
context
Regulatory
context
Business
context
Application
specifications
R
R
R
R
R
R
R
R
R
R
R
R
15
16. – Luc PoulinApplication Security Institute
Key elements and cost management strategies
▶ Risk Treatment
For governance
for applications security
16
Risk
AS
Requirement
expected evidence
supporting the
reduced risk claim
Risk
Mitigated
risk
Control
ASCCSA
Impact before
$$$ Impact after
$
Cost
?/?
ASC
17. – Luc PoulinApplication Security Institute
Security Activity
(what, how, where, who, when, how much)
Application Target
Level of Trust
(why)
Security Requirements
· Application specifications,
· Compliance to regulations,
· Standards and best practices,
· Etc.
(why)
Verification Measurement
(what, how, where, who, when, how much)
ASC
Application Security Life Cycle Reference Model
17
$/t $/t
Key elements and cost management strategies
▶ The Application Security Control (ASC)
18. – Luc PoulinApplication Security Institute
ASC
ASC ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
▶ ASCs may have
a graph relationship
Mitigate risk
hiding/segmenting
complexity
Key elements and cost management strategies
18
Business
Functional
Infrastructure
User
CSA
ASC
Online Payment
ASC
Online PaymentPCI-DSS Std.
19. – Luc PoulinApplication Security Institute
Business
ASC
Online Payment
Key elements and cost management strategies
▶ ASCs may have
a graph relationship
Mitigate risk
hiding/segmenting
complexity
▶ Facilitates
cost management
19
CSA
CSA CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
Functional
Infrastructure
User
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
20. – Luc PoulinApplication Security Institute
Business
ASC
Online Payment
▶ ASCs may have
a graph relationship
Mitigate risk
hiding/segmenting
complexity
▶ Facilitates
project,
ressources,
training and
qualifications
management,
etc…
Key elements and cost management strategies
20
CSA
CSA CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
CSA
Functional
Infrastructure
User
t
t
t
t
t
t
t
t
t
t
t
t
t
t
t
21. – Luc PoulinApplication Security Institute
21
...0
Organisation ASC Library
1 32 9 10
Application levels of trust used
by the organisation
Source of
specifications
and constraints
Specifications
and constraints
ASC
ASC
ASCASC
ASC
Application
specifications
Online payment
Secure Log
ASC
ASCASC
ASC
Business
context
PCI-DSS
Aeronautics
ASC ASCASC
Regulatory
context Privacy Laws
ASC
ASC ASC
ASC
ASC
ASC
Technological
context
Wireless
SSL Connection
Key elements and cost management strategies
$ $ $ $ $ $ $ $ $ $ $
$
$
$
$
$
$$
$$
$
$$ $$$
$$
$ $$
$$
$$$
$$$$$
$$$
▶ ASC Library
22. – Luc PoulinApplication Security Institute
Key elements and cost management strategies
▶ Level of Trust
Target: List of ASCs that have been identified and
approved by the application owner
Expected: List of ASCs that succeeded and those that
are predicted to succeed verification tests
Actual: List of ASCs that succeeded verification tests
▶ Application can be considered secure when
22
≥Actual
Level of Trust
Target
Level of Trust
23. – Luc PoulinApplication Security Institute
Key elements and cost management strategies
▶ The ONF
Repository,
authoritative
source
of information
Does not require
the implementation
of all elements
Respecting
the priorities and
capabilities of
the organization
(restaurant menu)
23
Organization Normative Framework (ONF)
Business
context
Application specifications and
functionalities repository
Regulatory
context
Technological
context
Roles, responsibilities and
qualifications repository
Categorized information groups
repository
ASC Library
ASC
(Application Securty Controls)
Application Security
Tracability Matrix
Application Security
Life Cycle Reference Model
Application Normative
Frameworks (ANF)
Application
Security Life
Cycle Model
Management processes related to
application security
Application Security Risk Management
ONF Committee Management
ONF Management
Application Security Management
Application Security Conformance
24. – Luc PoulinApplication Security Institute
Conclusion
▶ ISO 27034 can help to manage AS costs
Offers a more comprehensive and inclusive security
vision
- Only an approach that takes into account the interests of all
stakeholders and the nature of the systems, networks and
related services can ensure effective security (OCDE, 2002)
Supports the risk management model
- Follows the critical information flow inside application
processes and components
- Only protects an application’s critical elements
Facilitates estimation of AS cost
- Evaluate implementation costs of "small" security controls to
improve estimation quality (Caulkins et al., 2007)
24
25. – Luc PoulinApplication Security Institute
Conclusion
▶ ISO 27034 can help to manage AS costs
Helps organizations to:
- identify and establish the Level of Trust for an application
ASC requirements and related to an application according to its
AS risk
• Supplier selection: RFP / Service Offering
• Follow AS implementation
- provide evidence that an application has achieved and
maintained a target level of trust, according to a specific
usage context
Expected results for every ASC
- justify the trust of an organization to protect its application
accordingly to risk coming from application contexts
Risk analysis results -vs- Target Level of Trust
25
26. – Luc PoulinApplication Security Institute
Conclusion
▶ ISO 27034 can help to minimize AS costs
Promotes the integration of security activities in the existing
organization processes
- minimize application security impacts
- minimize resistance to change
Help organizations to:
- set / manage ASCs and Levels of trust
- respect organization resources and priorities
- improve internal knowledge and best practices
- encapsulate knowledge in ASCs
- standardize ASCs and activities across the organization
- apply ASCs to people, processes and technology
(depending easier / cheaper)
- promote reuse
- reduce training, implementation and auditing costs
26
27. – Luc Poulin– Luc Poulin
Application Security Institute
Thank for your time
ISO/IEC 27034 – Application security
How to trust... without paying too much!
for PECB
November 8th 2016
Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA
CEO, ISO/IEC 27034 Project editor
Luc.Poulin@Cogentas.org
28. – Luc Poulin– Luc Poulin
Application Security Institute
ISO/IEC 27034 Training Courses
ISO/IEC 27034 Application Security Introduction
27034ASI – 1 Day Course
ISO/IEC 27034 Application Security Foundation
27034ASF – 2 Days Course
ISO/IEC 27034 Lead Application Security Implementer
27034ASLI – 5 Days Course
ISO/IEC 27034 Lead Application Security Auditor
27034ASLA – 5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
29. – Luc Poulin– Luc Poulin
Application Security Institute
THANK YOU
?
+1 418 473-4473
Information@cogentas.org www.cogentas.org
ca.linkedin.com/in/LucPoulin