You are previewing Application Security in the ISO27001 Environment.
O'Reilly logo
Application Security in the ISO27001 Environment

Book Description

As conduits of critical business data, it's vital that your software packages are adequately secured. The de-facto standard on application security, this book is your step-by-step guide to securing your software applications within a best practice ISO/IEC 27001 and PCI environment.

Table of Contents

  1. Copyright
  2. Preface
    1. Acknowledgements
  3. 1. Introduction to the International Information Security Standards ISO27001 and ISO27002
    1. What is information security?
      1. Reasons to implement an Information Security Management System (ISMS)
    2. The ISMS and regulation
    3. ISO/IEC27001:2005 (‘ISO27001’ or ‘the Standard’)
    4. ISO/IEC27002:2005 (‘ISO27002’)
    5. Definitions
    6. Risks to information assets
    7. Information Security Management System
    8. Relationship between the standards
    9. Specification compared to a Code of Practice
    10. The ISMS
    11. ISO27001 as a model for the ISMS
  4. 2. The ISO27001 Implementation Project
    1. PDCA cycle
    2. Project team
    3. Demonstrating management commitment
    4. Project team/steering committee
    5. Information security co-ordination
    6. Project initiation
    7. Awareness
    8. Awareness tools
    9. Documentation requirements and record control
    10. ISO27001 document control requirements
    11. Annex A document controls
    12. Document approval
    13. Contents of the ISMS documentation
    14. Record control
    15. Documentation process and toolkits
  5. 3. Risk Assessment
    1. Risk management
    2. Risk treatment plans
    3. Acceptable risks
    4. Risk assessment
    5. Assets within scope
    6. Asset classes
    7. Asset owners
    8. Assessing risk
      1. Threats (ISO27001 Clause 4.2.1 d2)
      2. Vulnerabilities (ISO27001 Clause 4.2.1 d3)
      3. Impacts (ISO27001 Clause 4.2.1 d4)
      4. Risk assessment (likelihood and evaluation) (ISO27001 Clause 4.2.1 e)
    9. Risk level
    10. Risk treatment plan
    11. Risk assessment tools
  6. 4. Introduction to Application Security Threats
  7. 5. Application Security and ISO27001
    1. A.12.1.1 Security requirements analysis and specifications
    2. A.12.5.1 Change control procedures
    3. A.12.5.2 Technical review of applications after operating system changes
    4. A.12.5.3 Restrictions on changes to software packages
    5. A.12.5.5 Outsourced software development
    6. A.10.1.3 Segregation of duties
    7. A.10.1.4 Separation of development, test and operational facilities
    8. A.10.3.2 System Acceptance
    9. A.12.4.2 Protection of system test data
    10. A.12.4.3 Access control to program source code
    11. A.12.2.1 Input validation
    12. A.12.2.2 Control of internal processing, and A.12.2.4 Output data validation
    13. A.12.2.3 Message integrity
    14. A.11.6.1 Information access restriction
    15. A.11.2.2 Privilege management
    16. A.11.2.4 Review of user access rights
    17. A.11.6.2 Sensitive system isolation
    18. A.11.2.1 User registration
    19. A.11.2.3 Password management
    20. A.11.5.3 Password management system
    21. A.11.5.4 Use of system utilities
    22. A.11.5.5 Session time out
    23. A.11.5.6 Limitation of connection time
    24. A.10.10.1 Audit logging
    25. A.10.10.2 Monitoring system use
    26. A.10.10.3 Protection of log information
    27. A.10.10.4 Administrator and operator logs
    28. A.15.2.2 Technical compliance checking
    29. A.10.9.1 Electronic commerce
    30. A.10.9.2 Online transactions
    31. A.10.9.2 Publicly available information
    32. Security metrics
    33. Bibliography
  8. 6. Attacks on Applications
    1. Variable manipulation attacks
    2. How to set up a web proxy editor
      1. Solution
    3. Buffer overflows
      1. Solution
    4. Structured Query Language (SQL) injection
      1. Solution
    5. Cross-site scripting
      1. Solution
    6. Attack on browser’s refresh
      1. Solution
      2. ISO27001 controls and the attacks
      3. References
  9. 7. Secure Development Lifecycle
    1. Security activities in SDLC
    2. Preliminary risk assessment
    3. Threat modelling
      1. Threat profiles
        1. First step – identify all the assets to be protected
        2. Second step – identify all the roles that have valid or authorised access to the assets
        3. Third step – identify all the valid paths that a role is allowed
      2. Threat trees
    4. Secure coding practices
    5. Security testing
      1. Black box test
      2. Grey box test
      3. White box test
    6. Backup and recovery
    7. Change control (ISO27001 A.12.5.1)
    8. Incident response
    9. Security training
    10. Bibliography
  10. 8. Threat Profiling and Security Testing
    1. Threat profiling
    2. The process of threat profiling
      1. The four-step approach to threat profiling
    3. Application security review and testing
      1. Black box testing
      2. Grey box testing
      3. Security test cases
    4. Input validation tests
      1. Session management tests
      2. Browser-related tests
      3. White box testing
  11. 9. Secure Coding Guidelines
    1. Input validation guidelines (ISO27001 A.12.2.1)
      1. Validate at server
        1. Unsafe usage
        2. Safe usage
      2. Validate datatype, length, range
      3. Allow only known input
        1. Unsafe usage
        2. Safe usage
      4. Reject known bad input
      5. Sanitise input
        1. Sample usage
      6. Modularise input validation
    2. Authentication guidelines (ISO27001 A.11.5.2)
      1. Defend against password guessing
        1. Enforce strong passwords (ISO27001 A.11.5.3)
        2. Enforce account lockouts (ISO27001 A.11.5.1)
        3. Use CAPTCHAs
        4. Implement a secure ‘Remember me’ feature
        5. Never store passwords in cookies
        6. Demand the password before critical operations
        7. Implement a secure ‘forgot password’ feature
        8. Implement a secure ‘change password’ feature
        9. Protect against ‘browser refresh’
        10. Safe usage
    3. Guidelines for handling sensitive data (ISO27001 A.10.7.3)
      1. Secure sockets layer (ISO27001 A.12.3)
      2. Using the right cryptographic algorithm
        1. Unsafe usage
      3. Symmetric key encryption algorithm
      4. Hashing algorithms
      5. Protect cryptographic keys
      6. Prevent sensitive data from being stolen from client
      7. Sensitive data in query strings
        1. Unsafe usage
        2. Safe usage
      8. Sensitive web pages cached
    4. Session management guidelines
      1. Use unique and random session tokens
      2. Store session tokens in secure cookies
      3. Invalidate session tokens on logout
      4. Timeout sessions (ISO27001 A.11.5.5)
      5. Using Web.Config to secure sessions
    5. Error handling and logging (ISO27001 A.10.10.5)
      1. Use Try...Catch...Finally
        1. Unsafe usage
        2. Safe usage
      2. Sanitise error messages
      3. Use generic error messages
        1. Unsafe usage
        2. Safe usage
      4. Use custom error pages
      5. Logging key events (ISO27001 A.10.10.1)
        1. Account administration
        2. User access
        3. System errors
      6. Secure log files (ISO27001 A.10.10.3)
    6. Miscellaneous guidelines
      1. Upload files securely (ISO27001 A.10.9.3)
        1. Sample usage
      2. Download files securely (ISO27001 A.10.9.3)
        1. Unsafe usage
        2. Safe usage
      3. Use parameterised queries
        1. Unsafe usage
        2. Safe usage
      4. Validate all business rules
      5. Use least privilege (ISO27001 A.11.2.2)
      6. Use low-privileged operating system user
      7. Use low-privileged database user
  12. ITG Resources
    1. Pocket Guides
      1. Practical Information Security Pocket Guides
      2. Practical IT Governance Pocket Guides
    2. Toolkits