在好例子网,分享、交流、成长!
您当前所在位置:首页Others 开发实例一般编程问题 → iso 27034 应用安全指南.pdf

iso 27034 应用安全指南.pdf

一般编程问题

下载此实例
  • 开发语言:Others
  • 实例大小:1.12M
  • 下载次数:4
  • 浏览次数:420
  • 发布时间:2020-03-06
  • 实例类别:一般编程问题
  • 发 布 人:robot666
  • 文件格式:.pdf
  • 所需积分:2
 相关标签:
网友评论 举报投诉 收藏该页

实例介绍

【实例简介】

【实例截图】

【核心代码】 

Contents Page
FOREWORD ......................................................................................................................................... VIII
INTRODUCTION .................................................................................................................................... IX
0.1 GENERAL ..................................................................................................................................... IX
0.2 PURPOSE ..................................................................................................................................... IX
0.3 TARGETED AUDIENCES .................................................................................................................. X
0.3.1 General ................................................................................................................................ x
0.3.2 Managers............................................................................................................................. x
0.3.3 Provisioning and operation teams ....................................................................................... xi
0.3.4 Acquirers ............................................................................................................................ xii
0.3.5 Suppliers............................................................................................................................. xii
0.3.6 Auditors .............................................................................................................................. xii
0.3.7 Users .................................................................................................................................. xii
0.4 PRINCIPLES.................................................................................................................................. XII
0.4.1 Security is a requirement .................................................................................................... xii
0.4.2 Application security is context-dependent ......................................................................... xiii
0.4.3 Appropriate investment for application security ................................................................ xiii
0.4.4 Application security should be demonstrated.................................................................... xiii
0.5 RELATIONSHIP TO OTHER INTERNATIONAL STANDARDS ................................................................. XIV
0.5.1 General .............................................................................................................................. xiv
0.5.2 ISO/IEC 27001, Information security management systems — Requirements ................ xiv
0.5.3 ISO/IEC 27002, Code of practice for information security management .......................... xiv
0.5.4 ISO/IEC 27005, Information security risk management .................................................... xiv
0.5.5 ISO/IEC 21827, Systems Security Engineering — Capability Maturity Model® (SSE
CMM®) .............................................................................................................................. xiv
0.5.6 ISO/IEC 15408-3, Evaluation criteria for IT security — Part 3: Security assurance
components ....................................................................................................................... xiv
0.5.7 ISO/IEC TR 15443-1, A framework for IT security assurance — Part 1: Overview and
framework, and ISO/IEC TR 15443-3, A framework for IT security assurance — Part 3:
Analysis of assurance methods ......................................................................................... xv
0.5.8 ISO/IEC 15026-2, Systems and software engineering — Systems and software
assurance — Part 2: Assurance case ................................................................................ xv
0.5.9 ISO/IEC 15288, Systems and software engineering — System life cycle processes, and
ISO/IEC 12207, Systems and software engineering — Software life cycle process ......... xv
0.5.10 ISO/IEC 29193 (under development), Secure system engineering principles and
techniques .......................................................................................................................... xv
1 SCOPE ............................................................................................................................................. 1
2 NORMATIVE REFERENCES .......................................................................................................... 1
3 TERMS AND DEFINITIONS ............................................................................................................ 1
4 ABBREVIATED TERMS .................................................................................................................. 4
5 STRUCTURE OF ISO/IEC 27034 .................................................................................................... 5
6 INTRODUCTION TO APPLICATION SECURITY ........................................................................... 6
6.1 GENERAL ...................................................................................................................................... 6
6.2 APPLICATION SECURITY VS SOFTWARE SECURITY ............................................................................ 6
6.3 APPLICATION SECURITY SCOPE ...................................................................................................... 6
6.3.1 General ................................................................................................................................ 6
6.3.2 Business context ................................................................................................................. 7
6.3.3 Regulatory context .............................................................................................................. 7
6.3.4 Application life cycle processes .......................................................................................... 7
6.3.5 Processes involved with the application .............................................................................. 7
--`,`,```,```,`,,,,`,`,`,,`,```,-`-`,,`,,`,`,,`---
国际信息安全学习联盟 www.cncisa.com
ISO/IEC FDIS 27034-1:2011(E)
© ISO/IEC 2011 – All rights reserved v
6.3.6 Technological context .......................................................................................................... 8
6.3.7 Application specifications ..................................................................................................... 8
6.3.8 Application data ................................................................................................................... 8
6.3.9 Organization and user data .................................................................................................. 8
6.3.10 Roles and permissions ......................................................................................................... 8
6.4 APPLICATION SECURITY REQUIREMENTS .......................................................................................... 8
6.4.1 Application security requirements sources .......................................................................... 8
6.4.2 Application security requirements engineering .................................................................... 9
6.4.3 ISMS .................................................................................................................................... 9
6.5 RISK .............................................................................................................................................. 9
6.5.1 Application security risk ....................................................................................................... 9
6.5.2 Application vulnerabilities ................................................................................................... 10
6.5.3 Threats to applications .......................................................................................................10
6.5.4 Impact on applications ....................................................................................................... 10
6.5.5 Risk management .............................................................................................................. 10
6.6 SECURITY COSTS ......................................................................................................................... 10
6.7 TARGET ENVIRONMENT................................................................................................................. 10
6.8 CONTROLS AND THEIR OBJECTIVES ............................................................................................... 11
7 ISO/IEC 27034 OVERALL PROCESSES ...................................................................................... 11
7.1 COMPONENTS, PROCESSES AND FRAMEWORKS ............................................................................. 11
7.2 ONF MANAGEMENT PROCESS ...................................................................................................... 12
7.3 APPLICATION SECURITY MANAGEMENT PROCESS .......................................................................... 13
7.3.1 General .............................................................................................................................. 13
7.3.2 Specifying the application requirements and environment ................................................ 13
7.3.3 Assessing application security risks .................................................................................. 13
7.3.4 Creating and maintaining the Application Normative Framework ...................................... 13
7.3.5 Provisioning and operating the application ........................................................................ 14
7.3.6 Auditing the security of the application .............................................................................. 14
8 CONCEPTS .................................................................................................................................... 14
8.1 ORGANIZATION NORMATIVE FRAMEWORK ..................................................................................... 14
8.1.1 General .............................................................................................................................. 14
8.1.2 Components ....................................................................................................................... 15
8.1.3 Processes related to the Organization Normative Framework .......................................... 28
8.2 APPLICATION SECURITY RISK ASSESSMENT .................................................................................... 30
8.2.1 Risk assessment vs risk management .............................................................................. 30
8.2.2 Application risk analysis .....................................................................................................31
8.2.3 Risk Evaluation .................................................................................................................. 31
8.2.4 Application's Targeted Level of Trust ................................................................................. 31
8.2.5 Application owner acceptation ........................................................................................... 31
8.3 APPLICATION NORMATIVE FRAMEWORK ........................................................................................ 32
8.3.1 General .............................................................................................................................. 32
8.3.2 Components ....................................................................................................................... 33
8.3.3 Processes related to the security of the application .......................................................... 33
8.3.4 Application's life cycle ........................................................................................................ 34
8.3.5 Processes .......................................................................................................................... 34
8.4 PROVISIONING AND OPERATING THE APPLICATION .......................................................................... 34
8.4.1 General .............................................................................................................................. 34
8.4.2 Impact of ISO/IEC 27034 on an application project ........................................................... 35
8.4.3 Components ....................................................................................................................... 36
8.4.4 Processes .......................................................................................................................... 36
8.5 APPLICATION SECURITY AUDIT ..................................................................................................... 37
8.5.1 General .............................................................................................................................. 37
8.5.2 Components ....................................................................................................................... 38
--`,`,```,```,`,,,,`,`,`,,`,```,-`-`,,`,,`,`,,`---
国际信息安全学习联盟 www.cncisa.com
ISO/IEC FDIS 27034-1:2011(E)
© ISO/IEC 2011 – All rights reserved vi
ANNEX A (INFORMATIVE) MAPPING AN EXISTING DEVELOPMENT PROCESS TO
ISO/IEC 27034 CASE STUDY .............................................................................................................. 39
A.1 GENERAL .................................................................................................................................... 39
A.2 ABOUT THE SECURITY DEVELOPMENT LIFECYCLE ......................................................................... 39
A.3 SDL MAPPED TO THE ORGANIZATION NORMATIVE FRAMEWORK .................................................... 40
A.4 BUSINESS CONTEXT .................................................................................................................... 41
A.5 REGULATORY CONTEXT ............................................................................................................... 41
A.6 APPLICATION SPECIFICATIONS REPOSITORY ................................................................................. 42
A.7 TECHNOLOGICAL CONTEXT .......................................................................................................... 42
A.8 ROLES, RESPONSIBILITIES AND QUALIFICATIONS ........................................................................... 43
A.9 ORGANIZATION ASC LIBRARY ...................................................................................................... 44
A.9.1 Training .............................................................................................................................. 45
A.9.2 Requirements .................................................................................................................... 45
A.9.3 Design ............................................................................................................................... 46
A.9.4 Implementation .................................................................................................................. 47
A.9.5 Verification ......................................................................................................................... 47
A.9.6 Release ............................................................................................................................. 48
A.10 APPLICATION SECURITY AUDIT ..................................................................................................... 49
A.11 APPLICATION LIFE CYCLE MODEL ................................................................................................. 51
A.12 SDL MAPPED TO THE APPLICATION SECURITY LIFE CYCLE REFERENCE MODEL ............................. 53
ANNEX B (INFORMATIVE) MAPPING ASC WITH AN EXISTING STANDARD ................................ 55
B.1 ASC CANDIDATE CATEGORIES ..................................................................................................... 55
B.1.1 Common security control-related considerations .............................................................. 55
B.1.2 Operational/environmental-related considerations ........................................................... 55
B.1.3 Physical Infrastructure-related considerations .................................................................. 55
B.1.4 Public access-related considerations ................................................................................ 55
B.1.5 Technology-related considerations ................................................................................... 56
B.1.6 Policy/regulatory-related considerations ........................................................................... 56
B.1.7 Scalability-related considerations ...................................................................................... 56
B.1.8 Security objective-related considerations .......................................................................... 56
B.2 CLASSES OF SECURITY CONTROLS ............................................................................................... 57
B.3 SUB-CLASSES IN THE ACCESS CONTROL (AC) CLASS .................................................................... 58
B.4 DETAILED ACCESS CONTROL CLASSES .......................................................................................... 59
B.4.1 AC-1 Access control policy and procedures ..................................................................... 59
B.4.2 AC-2 Account management .............................................................................................. 59
B.4.3 AC-17 Remote access ...................................................................................................... 60
B.5 DEFINITION OF AN ASC BUILT FROM A SAMPLE SP 800-53 CONTROL ............................................. 61
B.5.1 Control AU-14 as described in SP 800-53 Rev. 3 ............................................................. 61
B.5.2 Control AU-14 as described using ISO/IEC 27034 ASC format ....................................... 62
ANNEX C (INFORMATIVE) ISO/IEC 27005 RISK MANAGEMENT PROCESS MAPPED WITH THE
ASMP ..................................................................................................................................................... 65
BIBLIOGRAPHY ................................................................................................................................... 67
--`,`,```,```,`,,,,`,`,`,,`,```,-`-`,,`,,`,`,,`---
国际信息安全学习联盟 www.cncisa.com
ISO/IEC FDIS 27034-1:2011(E)
© ISO/IEC 2011 – All rights reserved vii
Figures Page
UUFigure 1 – Relationship to other International Standards .............................................................................. xiv
Figure 2 – Application Security Scope ................................................................................................................. 6
Figure 3 – Organization Management Processes .............................................................................................. 12
Figure 4 – Organization Normative Framework (simplified) ............................................................................... 15
Figure 5 – Graphical representation of an example of an Organization ASC Library ........................................ 18
Figure 6 – Components of an ASC .................................................................................................................... 20
Figure 7 – Graph of ASCs .................................................................................................................................. 21
Figure 8 – Top-level view of the Application Security Life Cycle Reference Model ........................................... 24
Figure 9 – ONF Management Process ............................................................................................................... 28
Figure 10 – Application Normative Framework .................................................................................................. 32
Figure 11 – Impact of this International Standard on roles and responsibilities in a typical application
project .............................................................................................................................................. 35
Figure 12 – ASC used as a security activity ....................................................................................................... 36
Figure 13 – ASC used as a measurement ......................................................................................................... 37
Figure 14 – Overview of the application security verification process ............................................................... 38
Figure A.1 – Security Development Lifecycle..................................................................................................... 40
Figure A.2 – SDL mapped to the Organization Normative Framework .............................................................. 40
Figure A.3 – Example of an ASC tree ................................................................................................................ 45
Figure A.4 – Example of a Line of Business Application for Application Security Audit .................................... 50
Figure A.5 – SDL Process Illustration ................................................................................................................ 52
Figure A.6 – SDL mapped to the Application Security Life Cycle Reference Model .......................................... 53
Figure A.7 – Detailed mapping of SDL phases with stages in the Application Security Life Cycle Reference
Model ............................................................................................................................................... 53
Figure C.1 – ISO/IEC 27005 risk management process mapped with the ASMP. ............................................ 65
Tables Page
Table 1 – Application Scope vs Application Security Scope ................................................................................ 7
Table 2 – Mapping of ISMS and application security-related ONF management subprocesses ....................... 29
Table B.1 – Security control classes, families, and identifiers ........................................................................... 57
Table B.2 – Security control classes and security control baselines for low-impact, moderate-impact, and
high-impact information systems ..................................................................................................... 58
Table B.3 – SP800-53 control AU-14 described using ISO/IEC 27034 ASC format .......................................... 62

标签:

实例下载地址

iso 27034 应用安全指南.pdf

不能下载?内容有错? 点击这里报错 + 投诉 + 提问

好例子网口号:伸出你的我的手 — 分享

相关软件

相关文章

网友评论

我要评论

发表评论

(您的评论需要经过审核才能显示)

查看所有0条评论>>

小贴士

感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。

  • 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
  • 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
  • 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
  • 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。

关于好例子网

本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明

;
报警