ДСТУ ISO/IEC 27034-1:2016 Інформаційні технології. Методи захисту. Безпека прикладних програм. Частина 1. Огляд і концепція (ISO/IEC 27034-1:2011, IDT)

ПІДТВЕРДЖУВАЛЬНЕ ПОВІДОМЛЕННЯ

Державне підприємство
«Український науково-дослідний і навчальний центр
проблем стандартизації, сертифікації та якості»
(З питань придбання офіційного видання звертайтесь до національного органу стандартизації
(ДП «УкрНДНЦ»))

Наказ від 07.10.2016 № 307

ISO/IEC 27034-1:2011

Information technology — Security techniques —
Application security — Part 1: Overview and concepts

прийнято як національний стандарт
методом «підтвердження» за позначенням
Відповідає офіційному тексту

ДСТУ ISO/IEC 27034-1:2016
(ISO/IEC 27034-1:2011, IDТ)

Інформаційні технології. Методи захисту.
Безпека прикладних програм. Частина 1. Огляд і концепція

З наданням чинності від 2016-10-10

Contents

FOREWORD

INTRODUCTION

0.1 GENERAL

0.2 PURPOSE

0.3 TARGETED AUDIENCES

0.3.1 General

0.3.2 Managers

0.3.3 Provisioning and operation teams

0.3.4 Acquirers

0.3.5 Suppliers

0.3.6 Auditors

0.3.7 Users

0.4 PRINCIPLES

0.4.1 Security is a requirement

 0.4.2 Application security is context-dependent

0.4.3 Appropriate investment for application security

0.4.4 Application security should be demonstrated

0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS

0.5.1 General

0.5.2 ISO/IEC 27001, Information security management systems — Requirements

0.5.3 ISO/IEC 27002, Code of practice for information security management

0.5.4 ISO/IEC 27005, Information security risk management

0.5.5 ISO/IEC 21827, Systems Security Engineering — Capability Maturity Model® (SSE CMM®)

0.5.6 ISO/IEC 15408-3, Evaluation criteria for IT security — Part 3: Security assurance components

0.5.7 ISO/IEC TR 15443-1, A framework for IT security assurance — Part 1: Overview and framework, and ISO/IEC TR 15443-3, A framework for IT security assurance — Part 3: Analysis of assurance methods

0.5.8 ISO/IEC 15026-2, Systems and software engineering — Systems and software assurance — Part 2: Assurance case

0.5.9 ISO/IEC 15288, Systems and software engineering — System life cycle processes, and ISO/IEC 12207, Systems and software engineering — Software life cycle process

0.5.10 ISO/IEC 29193 (under development), Secure system engineering principles and techniques

1 SCOPE

2 NORMATIVE REFERENCES

3 TERMS AND DEFINITIONS

4 ABBREVIATED TERMS

5 STRUCTURE OF ISO/IEC 27034

6 INTRODUCTION TO APPLICATION SECURITY

6.1 GENERAL

6.2 APPLICATION SECURITY VS SOFTWARE SECURITY

6.3 APPLICATION SECURITY SCOPE

6.3.1 General

6.3.2 Business context

6.3.3 Regulatory context

6.3.4 Application life cycle processes

6.3.5 Processes involved with the application

6.3.6 Technological context

6.3.7 Application specifications

6.3.8 Application data

6.3.9 Organization and user data

6.3.10 Roles and permissions

6.4 APPLICATION SECURITY REQUIREMENTS

6.4.1 Application security requirements sources

6.4.2 Application security requirements engineering

6.4.3 ISMS

6.5 RISK

6.5.1 Application security risk

6.5.2 Application vulnerabilities

6.5.3 Threats to applications

6.5.4 Impact on applications

6.5.5 Risk management

6.6 SECURITY COSTS

6.7 TARGET ENVIRONMENT

6.8 CONTROLS AND THEIR OBJECTIVES

7 ISO/IEC 27034 OVERALL PROCESSES

7.1 COMPONENTS, PROCESSES AND FRAMEWORKS

7.2 ONF MANAGEMENT PROCESS

7.3 APPLICATION SECURITY MANAGEMENT PROCESS

7.3.1 General

7.3.2 Specifying the application requirements and environment

7.3.3 Assessing application security risks

7.3.4 Creating and maintaining the Application Normative Framework

7.3.5 Provisioning and operating the application

7.3.6 Auditing the security of the application

8 CONCEPTS

8.1 ORGANIZATION NORMATIVE FRAMEWORK

8.1.1 General

8.1.2 Components

8.1.3 Processes related to the Organization Normative Framework

8.2 APPLICATION SECURITY RISK ASSESSMENT

8.2.1 Risk assessment vs risk management

8.2.2 Application risk analysis

8.2.3 Risk Evaluation

8.2.4 Application's Targeted Level of Trust

8.2.5 Application owner acceptation

8.3 APPLICATION NORMATIVE FRAMEWORK

8.3.1 General

8.3.2 Components

8.3.3 Processes related to the security of the application

8.3.4 Application's life cycle

8.3.5 Processes

8.4 PROVISIONING AND OPERATING THE APPLICATION

8.4.1 General

8.4.2 Impact of ISO/IEC 27034 on an application project

8.4.3 Components

8.4.4 Processes

8.5 APPLICATION SECURITY AUDIT

8.5.1 General

8.5.2 Components

ANNEX A (INFORMATIVE) MAPPING AN EXISTING DEVELOPMENT PROCESS TO ISO/IEC 27034 CASE STUDY

A.1 GENERAL

A.2 ABOUT THE SECURITY DEVELOPMENT LIFECYCLE

A.3 SDL MAPPED TO THE ORGANIZATION NORMATIVE FRAMEWORK

A.4 BUSINESS CONTEXT

A.5 REGULATORY CONTEXT

A.6 APPLICATION SPECIFICATIONS REPOSITORY

A.7 TECHNOLOGICAL CONTEXT

A.8 ROLES, RESPONSIBILITIES AND QUALIFICATIONS

A.9 ORGANIZATION ASC LIBRARY

A.9.1 Training

A.9.2 Requirements

A.9.3 Design

A.9.4 Implementation

A.9.5 Verification

A.9.6 Release

A.10 APPLICATION SECURITY AUDIT

A.11 APPLICATION LIFE CYCLE MODEL

A.12 SDL MAPPED TO THE APPLICATION SECURITY LIFE CYCLE REFERENCE MODEL

ANNEX B (INFORMATIVE) MAPPING ASC WITH AN EXISTING STANDARD

B.1 ASC CANDIDATE CATEGORIES

B.1.1 Common security control-related considerations

B.1.2 Operational/environmental-related considerations

B.1.3 Physical Infrastructure-related considerations

B.1.4 Public access-related considerations

B.1.5 Technology-related considerations

B.1.6 Policy/regulatory-related considerations

B.1.7 Scalability-related considerations

B.1.8 Security objective-related considerations

B.2 CLASSES OF SECURITY CONTROLS

B.3 SUB-CLASSES IN THE ACCESS CONTROL (AC) CLASS

B.4 DETAILED ACCESS CONTROL CLASSES

B.4.1 AC-1 Access control policy and procedures

B.4.2 AC-2 Account management

B.4.3 AC-17 Remote access

B.5 DEFINITION OF AN ASC BUILT FROM A SAMPLE SP 800-53 CONTROL

B.5.1 Control AU-14 as described in SP 800-53 Rev. 3

B.5.2 Control AU-14 as described using ISO/IEC 27034 ASC format

ANNEX C (INFORMATIVE) ISO/IEC 27005 RISK MANAGEMENT PROCESS MAPPED WITH THE ASMP

BIBLIOGRAPHY