SlideShare une entreprise Scribd logo

ISO/IEC 27034 Application Security – How to trust, without paying too much!

PECB
PECB

This series of standard offers a new vision, new principles, and elements that will facilitate application security planning, implementation, management and repeatable verification. In this webinar, you will hear how a Lead Implementer should select and adjust them taking account of business, legal and technological contexts, priorities and its organization's limited resources. Mr. Luc Poulin has more than thirty years of experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP CSSLP CISM CISA CASLI , CASLA and currently working as CEO- Information / Application Security Senior Advisor at Cogentas Inc. Link of the recorded session published on YouTube: https://youtu.be/Saba09xOcVI

Formation
1  sur  29
– Luc PoulinApplication Security Institute
– Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
– Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
– Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
– Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
– Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
– Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
– Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
– Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
– Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
– Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
– Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
– Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
– Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
– Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
– Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
– Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
– Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
– Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
– Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
– Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
– Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
– Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin

Recommandé

EBIOS Risk Manager
EBIOS Risk ManagerEBIOS Risk Manager
EBIOS Risk ManagerComsoce
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptxKiranKumar24546
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 

Recommandé

EBIOS Risk Manager
EBIOS Risk ManagerEBIOS Risk Manager
EBIOS Risk ManagerComsoce
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
CompTIA Security+.pptx
CompTIA Security+.pptxCompTIA Security+.pptx
CompTIA Security+.pptxKiranKumar24546
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Bachir Benyammi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersSanjeev Kumar Jaiswal
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Conix - EBIOS Risk Manager
Conix - EBIOS Risk ManagerConix - EBIOS Risk Manager
Conix - EBIOS Risk ManagerThierry Pertus
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNational Information Standards Organization (NISO)
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001PECB
 

Contenu connexe

Tendances

Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Bachir Benyammi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Conix - EBIOS Risk Manager
Conix - EBIOS Risk ManagerConix - EBIOS Risk Manager
Conix - EBIOS Risk ManagerThierry Pertus
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 

Tendances (20)

Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
Organigramme de la mise en œuvre du SMSI et processus de certification ISO 27...
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
Cybersecurity Roadmap for Beginners
Cybersecurity Roadmap for BeginnersCybersecurity Roadmap for Beginners
Cybersecurity Roadmap for Beginners
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Conix - EBIOS Risk Manager
Conix - EBIOS Risk ManagerConix - EBIOS Risk Manager
Conix - EBIOS Risk Manager
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 

En vedette

An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001PECB
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernancePECB
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesPECB
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015PECB
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingPECB
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015PECB
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...PECB
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global OrganizationsPECB
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...Luigi Buglione
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)ichikaway
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesEpididimo
 

En vedette (19)

NISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: StandardsNISO Webinar: RFID Systems in Libraries Part 2: Standards
NISO Webinar: RFID Systems in Libraries Part 2: Standards
 
An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001An Insight to Survey Findings on ISO 45001
An Insight to Survey Findings on ISO 45001
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
 
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risquesManagement par la qualité selon l’ISO 9001 au service de la maîtrise des risques
Management par la qualité selon l’ISO 9001 au service de la maîtrise des risques
 
How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015How to establish strategic approach to ISO 9001:2015
How to establish strategic approach to ISO 9001:2015
 
Embracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud ComputingEmbracing Cybersecurity on Cloud Computing
Embracing Cybersecurity on Cloud Computing
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015The influence of Deming's 14 points to ISO 9001:2015
The influence of Deming's 14 points to ISO 9001:2015
 
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
Estimation of Measurement Uncertainty in Labs: a requirement for ISO 17025 Ac...
 
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
5 Top Tips for Implementing a Successful Safety Culture in Global Organizations
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
An ISO/IEC 33000-compliant Measurement Framework for Software Process Sustain...
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
ISO/NISO
ISO/NISOISO/NISO
ISO/NISO
 
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
CakePHPのレールの外し方 (CakePHP勉強会@uluru 20130419)
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 
Iso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processesIso iec 12207 software life cycle processes
Iso iec 12207 software life cycle processes
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much!

ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure PECB
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?PECB
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy AbiramiManikandan5
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...PECB
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISAIshita Kundu
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIGATE Corporation
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramGoogleNewsSubmit
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systemsevatjohnson
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsIntland Software GmbH
 

Similaire à ISO/IEC 27034 Application Security – How to trust, without paying too much! (20)

ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure ISO 27034 Lead Implementer - Two Page Brochure
ISO 27034 Lead Implementer - Two Page Brochure
 
What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?What is needed to start trusting the security of your applications in the cloud?
What is needed to start trusting the security of your applications in the cloud?
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...The significance of the Shift to Risk Management from Threat & Vulnerability ...
The significance of the Shift to Risk Management from Threat & Vulnerability ...
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
IT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” modelIT Compliance in 2015 - Beyond the “v” model
IT Compliance in 2015 - Beyond the “v” model
 
A Major Revision of the CISRCP Program
A Major Revision of the CISRCP ProgramA Major Revision of the CISRCP Program
A Major Revision of the CISRCP Program
 
How to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
 
How to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
 

Plus de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

Plus de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 

Dernier

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 

Dernier (20)

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 

ISO/IEC 27034 Application Security – How to trust, without paying too much!

  • 1. – Luc PoulinApplication Security Institute
  • 2. – Luc Poulin– Luc Poulin Application Security Institute Luc Poulin CEO & Information / Application Security Senior Advisor Mr. Luc Poulin has more than thirty years' experience in computer science, during which he acquired a solid expertise in IT systems and software engineering. He has a Ph.D. CISSP-ISSMP, CSSLP, CISM, CISA, 27034ASLI, 27034ASLA and currently working as Information / Application Security Senior Advisor at Cogentas Inc. Contact Information +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/lucpoulin
  • 3. – Luc Poulin– Luc Poulin Application Security Institute IT APPLICATIONS SECURITY ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor
  • 4. – Luc PoulinApplication Security Institute Plan 1. Context 2. ISO/IEC 27034 Application security 3. Key Elements and cost management strategies 4. Conclusion 4
  • 5. – Luc PoulinApplication Security Institute Context ▶ IT continues to evolve rapidly New technologies, attacks, vulnerabilities, risks... ▶ Regulatory context evolves New laws, regulations, regions… ▶ Business evolves New business contexts, market sectors, needs, opportunities and expectations 5
  • 6. – Luc PoulinApplication Security Institute Context ▶ We have tools IT tools, standards, methods, best practices… ▶ We allocate resources training, acquisition, hiring, audits… ▶ What is missing to be confident in the security of an application... Without paying too much? to be able to declare an application secure? 6
  • 7. – Luc PoulinApplication Security Institute Context ▶ Information security becomes a major concern for managers / administrators ▶ Organizations are having limited resources ▶ Every organization exists in a specific business context ▶ Usually the scope of the security of an application is not adequately defined organizations do not have the slightest idea of the security of their applications 7
  • 8. – Luc PoulinApplication Security Institute Context – Concepts & definitions ▶ Information security (ISO/IEC 27000) preservation of confidentiality, integrity and availability of information ▶ Application security (ISO/IEC 27034) preservation of confidentiality, integrity and availability of information collected, processed, stored and communicated by an application ▶ Information security is based on risk management ▶ Risk can not be eliminated but can only be mitigated to an acceptable level ▶ Application security must be demonstrated 8
  • 9. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards series ▶ ISO/IEC 27034 – Application Security ▶ Identifies  target audience  AS objectives, principles, concepts, vision, scope, terms and definitions ▶ Specifies components, processes, and AS framework on two levels :  organization  application ▶ Identify requirements as recommendations:“should” ▶ Does not propose any security controls ▶ No certification available – in progress
  • 10. – Luc PoulinApplication Security Institute ISO/IEC 27034 standards serie ▶ ISO/IEC 27034 – Application Security  Part 1: Overview and concepts (2011)  Part 2: Organization normative framework (2015)  Part 3: Application security management process (2017)  Part 4: Application security validation (2019)  Part 5: Protocols and application security control data structure (2017)  Part 5-1: XML Schemas (2017)  Part 6: Case studies (2016)  Part 7: Assurance prediction framework (2017)
  • 11. – Luc PoulinApplication Security Institute ▶ Four areas of intervention ▶ Each has: Technology Process People ISO/IEC 27034 – A new vision for AS 11 Verification & control (Conformity) Security Management (Governance) Application & IT System (Development and Evolution) Technology (Acquisition, Maintenance and Contingency) Critical Information
  • 12. – Luc PoulinApplication Security Institute ISO/IEC 27034 – A new vision of AS ▶ 9 groups of information to protect Group of information Application AS scope Organization and user’s data Application data Roles and permissions Application specifications Technological context Processes involving the application Application life cycle processes Regulatory context Business context            
  • 13. – Luc PoulinApplication Security Institute 13 ▶ Changing Perspective – Cost Management Organization ISO/IEC 27034 – A new vision for AS Technology People Process Information  Infrastructure  Software ApplicationApplications Security
  • 14. – Luc PoulinApplication Security Institute Application Security Life Cycle Reference Model Operation stages Utilization and maintenance Archival DestructionDisposal 14 Actors Role 1 Role 2 Role 3 Role 4 Role n Provisioning stages Preparation Realization Transition Application management Application provisionning management Application operation management Infrastructure management Application provisionning infrastructure management Application operation infrastructure management Disposal Application audit Application provisioning audit Application operation audit Layers Application provisionning and operation Preparation Utilization Archival Destruction Outsourcing Development Acquisition Transition Key elements and cost management strategies
  • 15. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk management in AS Impact = $$$ Sources of Risk for AS Technological context Regulatory context Business context Application specifications R R R R R R R R R R R R 15
  • 16. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Risk Treatment For governance for applications security 16 Risk AS Requirement expected evidence supporting the reduced risk claim Risk Mitigated risk Control ASCCSA Impact before $$$ Impact after $ Cost ?/? ASC
  • 17. – Luc PoulinApplication Security Institute Security Activity (what, how, where, who, when, how much) Application Target Level of Trust (why) Security Requirements · Application specifications, · Compliance to regulations, · Standards and best practices, · Etc. (why) Verification Measurement (what, how, where, who, when, how much) ASC Application Security Life Cycle Reference Model 17 $/t $/t Key elements and cost management strategies ▶ The Application Security Control (ASC)
  • 18. – Luc PoulinApplication Security Institute ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ASC ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity Key elements and cost management strategies 18 Business Functional Infrastructure User CSA ASC Online Payment ASC Online PaymentPCI-DSS Std.
  • 19. – Luc PoulinApplication Security Institute Business ASC Online Payment Key elements and cost management strategies ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates cost management 19 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
  • 20. – Luc PoulinApplication Security Institute Business ASC Online Payment ▶ ASCs may have a graph relationship  Mitigate risk  hiding/segmenting complexity ▶ Facilitates project, ressources, training and qualifications management, etc… Key elements and cost management strategies 20 CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA CSA Functional Infrastructure User t t t t t t t t t t t t t t t
  • 21. – Luc PoulinApplication Security Institute 21 ...0 Organisation ASC Library 1 32 9 10 Application levels of trust used by the organisation Source of specifications and constraints Specifications and constraints ASC ASC ASCASC ASC Application specifications Online payment Secure Log ASC ASCASC ASC Business context PCI-DSS Aeronautics ASC ASCASC Regulatory context Privacy Laws ASC ASC ASC ASC ASC ASC Technological context Wireless SSL Connection Key elements and cost management strategies $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$ $$ $ $$ $$$ $$ $ $$ $$ $$$ $$$$$ $$$ ▶ ASC Library
  • 22. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ Level of Trust Target: List of ASCs that have been identified and approved by the application owner Expected: List of ASCs that succeeded and those that are predicted to succeed verification tests Actual: List of ASCs that succeeded verification tests ▶ Application can be considered secure when 22 ≥Actual Level of Trust Target Level of Trust
  • 23. – Luc PoulinApplication Security Institute Key elements and cost management strategies ▶ The ONF Repository, authoritative source of information Does not require the implementation of all elements Respecting the priorities and capabilities of the organization (restaurant menu) 23 Organization Normative Framework (ONF) Business context Application specifications and functionalities repository Regulatory context Technological context Roles, responsibilities and qualifications repository Categorized information groups repository ASC Library ASC (Application Securty Controls) Application Security Tracability Matrix Application Security Life Cycle Reference Model Application Normative Frameworks (ANF) Application Security Life Cycle Model Management processes related to application security Application Security Risk Management ONF Committee Management ONF Management Application Security Management Application Security Conformance
  • 24. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Offers a more comprehensive and inclusive security vision - Only an approach that takes into account the interests of all stakeholders and the nature of the systems, networks and related services can ensure effective security (OCDE, 2002) Supports the risk management model - Follows the critical information flow inside application processes and components - Only protects an application’s critical elements Facilitates estimation of AS cost - Evaluate implementation costs of "small" security controls to improve estimation quality (Caulkins et al., 2007) 24
  • 25. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to manage AS costs Helps organizations to: - identify and establish the Level of Trust for an application  ASC requirements and related to an application according to its AS risk • Supplier selection: RFP / Service Offering • Follow AS implementation - provide evidence that an application has achieved and maintained a target level of trust, according to a specific usage context  Expected results for every ASC - justify the trust of an organization to protect its application accordingly to risk coming from application contexts  Risk analysis results -vs- Target Level of Trust 25
  • 26. – Luc PoulinApplication Security Institute Conclusion ▶ ISO 27034 can help to minimize AS costs Promotes the integration of security activities in the existing organization processes - minimize application security impacts - minimize resistance to change Help organizations to: - set / manage ASCs and Levels of trust - respect organization resources and priorities - improve internal knowledge and best practices - encapsulate knowledge in ASCs - standardize ASCs and activities across the organization - apply ASCs to people, processes and technology (depending easier / cheaper) - promote reuse - reduce training, implementation and auditing costs 26
  • 27. – Luc Poulin– Luc Poulin Application Security Institute Thank for your time ISO/IEC 27034 – Application security How to trust... without paying too much! for PECB November 8th 2016 Luc Poulin Ph.D, CISSP-ISSMP, CSSLP, CISA, CISM, 27034ASLI, 27034ASLA CEO, ISO/IEC 27034 Project editor Luc.Poulin@Cogentas.org
  • 28. – Luc Poulin– Luc Poulin Application Security Institute ISO/IEC 27034 Training Courses  ISO/IEC 27034 Application Security Introduction 27034ASI – 1 Day Course  ISO/IEC 27034 Application Security Foundation 27034ASF – 2 Days Course  ISO/IEC 27034 Lead Application Security Implementer 27034ASLI – 5 Days Course  ISO/IEC 27034 Lead Application Security Auditor 27034ASLA – 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events
  • 29. – Luc Poulin– Luc Poulin Application Security Institute THANK YOU ? +1 418 473-4473 Information@cogentas.org www.cogentas.org ca.linkedin.com/in/LucPoulin