ISO/IEC INTERNATIONAL STANDARD 27034-1 First edition 2011-11-15 Information technology Security techniques Application security Part 1: Overview and concepts TechnologiesdeI'informationTechniquesdesécuriteSécurite desapplications- Partie 1:Apercu general et concepts Reference number ISO/IEC 27034-1:2011(E) IEC CopyighlnermaionalOrganizationfor Standardization ISO/IEC2011 led without license from IHS Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2011 Iso's member body in the country of the requester. ISO copyright office Case postale 56CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ISO/IEC 2011-Allrights reserved No reproduction or networking permited without license from IHS Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) Contents Page FOREWORD INTRODUCTION VII 0.1 GENERA... 0.2 PURPOSE VIII 0.3 TARGETED AUDIENCES. 0.3.1 General.... 0.3.2 Managers... 0.3.3 Provisioningandoperationteams... 0.3.4 Acquirers.. 0.3.5 Suppliers 0.3.6 Auditors. 0.3.7 Users. 0.4 PRINCIPLES 0.4.1 Security is a requirement.. 0.4.2 Applicationsecurityiscontext-dependent XIl 0.4.3 Appropriate investmentforapplicationsecurity. xil 0.4.4 Application securityshouldbedemonstrated.... 0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS.. 0.5.1 General.. xili 0.5.2 Iso/IEc27001,Informationsecuritymanagementsystems- Requirements... .xili 0.5.3 Iso/IEc27oo2,Codeof practiceforinformationsecuritymanagement....... 0.5.4 Iso/lEc27005,Informationsecurityriskmanagement.. .. xifi 0.5.5 ISO/IEC21827,SystemsSecurityEngineering-CapabilityMaturityModel?(SSE 0.5.6 /SO/lEC15408-3.Evaluationcriteriafor/Tsecurity -Part3:Securityassurance components.. 0.5.7 ISO/IEcTR15443-1,AframeworkforITsecurityassurance—Part1:Overviewand framework,and ISO/IECTR15443-3,Aframeworkfor/Tsecurityassurance—Part3: Analysis ofassurancemethods... .... Xiv 0.5.8 /SO/IEC15026-2,Systemsandsoftwareengineering- Systemsandsoffware assurancePart 2. Assurance case ... 0.5.9 /SO/IEC15288,Systemsandsoftwareengineering- -Systemlifecycleprocesses,and Iso/IEc12207,Systemsandsoftwareengineering-Software lifecycleprocess....xiv 0.5.10 /SO/lEc29193(underdevelopment),Securesystemengineeringprinciplesand techniques...... XiV SCOPE 2 NORMATIVEREFERENCES. 3 TERMSANDDEFINITIONS 4 ABBREVIATEDTERMS 5 STRUCTUREOFISO/IEC27034 5 6 INTRODUCTIONTOAPPLICATIONSECURITY 6 6.1 6.2 APPLICATION SECURITY VS SOFTWARE SECURITY 6.3 APPLICATION SECURITY SCOPE... 6 6.3.1 General... 6.3.2 Business context.... 6.3.3 Regulatory context... 6.3.4 Applicationlifecycleprocesses 6.3.5 Processes involved with theapplication.... CepyrightnmatinalOorgaonrstandandzationAll rightsreserved ili Not for Resale, 12/23/2015 17:00:56 MST ISO/IEC27034-1:2011(E) 6.3.6 Technological context... 6.3.7 Application specifications... 6.3.8 Application data..... 6.3.9 Organizationand userdata. 6.3.10 Roles andpermissions.. 6.4 APPLICATION SECURITY REQUIREMENTS 6.4.1 Applicationsecurityrequirementssources 6.4.2 Applicationsecurityrequirementsengineering 6.4.3 ISMS.. 6.5 RISK 9 6.5.1 Applicationsecurityrisk..... 6.5.2 Applicationvulnerabilities.. .10 6.5.3 Threatstoapplications. 10 6.5.4 Impactonapplications. 10 6.5.5 Riskmanagement. .10 6.6 SECURITYCOSTS 10 6.7 TARGET ENVIRONMENT 6.8 CONTROLS AND THEIR OBJECTIVES 11 ISO/IEC27034OVERALLPROCESSES 11 7.1 COMPONENTS,PROCESSES AND FRAMEWORKS 11 7.2 ONF MANAGEMENT PROCESS .... 12 7.3 APPLICATION SECURITY MANAGEMENT PROCESS.. 13 7.3.1 13 7.3.2 Specifying the application requirements and environment ... .13 7.3.3 Assessingapplication security risks... 13 7.3.4 Creating and maintaining theApplication Normative Framework. 13 7.3.5 Provisioning and operating the application.... 14 7.3.6 Auditing the security of the application.. 14 CONCEPTS 8.1 ORGANIZATION NORMATIVE FRAMEWORK.... .14 8.1.1 General.. 14 8.1.2 Components 15 8.1.3 ProcessesrelatedtotheOrganizationNormativeFramework 8.2