Wednesday, May 15, 2013

Security standard for developers

I have been writing quite a lot about the standards recently - mostly about their deficiencies -  but today a few words about one standard that is really worth investing the time and effort into:  Application security  ISO/IEC27034.

It has been around for about 18 months so, it’s a relatively new concept but already adapted by the largest software development companies. Chances are it will become prominent enough to be demanded from contractors developing solutions for government and larger corporate clients.

From the introduction to the Standard:
ISO/IEC 27034:
a) applies to the underlying software of an application and to contributing factors that impact its security, such as data, technology, application development life cycle processes, supporting processes and actors; and
b) applies to all sizes and all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) exposed to risks associated with applications.

The purpose of ISO/IEC 27034 is to assist organizations in integrating security seamlessly throughout the life cycle of their applications by:
• providing concepts, principles, frameworks, components and processes;

• providing process-oriented mechanisms for establishing security requirements, assessing security risks, assigning a Targeted Level of Trust and selecting corresponding security controls and verification measures;

• providing guidelines for establishing acceptance criteria to organizations outsourcing the development or operation of applications, and for organizations purchasing from third-party applications;

• providing process-oriented mechanisms for determining, generating and collecting the evidence needed to demonstrate that their applications can be used securely under a defined environment;

• supporting the general concepts specified in ISO/IEC 27001 and assisting with the satisfactory implementation of information security based on a risk management approach; and other standards.

A good starting point to learn about secure coding practices is a series of free courses/ video presentations offered by The Software Assurance Forum for Excellence in Code (SAFECode). You can read more about the Standard in a very interesting article by Lia Timson (The Age): If it's worth coding, it's worth securing.

No comments: