[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

Using the ISO/IEC 27034 as Reference to Develop an Application Security Control Library

  • Conference paper
  • First Online:
Systems, Software and Services Process Improvement (EuroSPI 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 748))

Included in the following conference series:

Abstract

Secure software development allows the development of solutions considering information security aspects in the project’s scope, avoiding malicious users to attack system’s vulnerabilities. In this case, security controls must be integrated into the application’s solution design. The standard ISO/IEC 27034 provides the necessary guidance to the development of application security in any interested organization. An important standard’s concept is the Application Security Control (ASC) Library that may provide a central repository of security controls specification and design. The ASC Library can support the organization’s projects secure development considering their main characteristics and providing the necessary security controls references. This work reports an action-research developed in an international bank that adopted the ASC Library concept after reviewing its previous applications security risk assessments and identifying several missing security controls. The main contribution of this work is a process to identify, specify and document the organization security controls based on the ASC Library concept.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Ponsard, C., Massonet, P., Rifaut, A., Molderez, J.F.: Early verification and validation of mission critical systems. Formal Methods Syst. Des. 30, 233–247 (2007). doi:10.1016/j.entcs.2004.08.067

    Article  MATH  Google Scholar 

  2. El-Attar, M.: From misuse cases to mal-activity diagrams - bridging the gap between functional security analysis and design. Softw. Syst. Model. 13, 173–190 (2014). doi:10.1007/s10270-012-0240-5

    Article  Google Scholar 

  3. Futcher, L., Solms, R.: Guidelines for secure software development. In: Proceedings of 2008 Conference of South African Institute of Computer Scientists and Information Technologists (SAICSIT), pp. 56–65. SAICSIT in Association with ACM, Port Elizabeth, South Africa (2008). doi:10.1145/1456659.1456667

  4. Khan, R.A., Mustafa, K.: From threat to security indexing - a causal chain. Comput. Fraud Secur. 5, 9–12 (2009). doi:10.1016/S1361-3723(09)70059-4

    Article  Google Scholar 

  5. ISO/IEC 15408: 2009 - Information technology - Security techniques - Evaluation criteria for IT security Information technology. International Organization for Standardization/International Electrotechnical Commission, Geneva (2009)

    Google Scholar 

  6. ISO/IEC 12207: 2008 Standards Catalogue - Systems and software engineering - Software life cycle processes. International Organization for Standardization/International Electrotechnical Commission, Geneva (2008)

    Google Scholar 

  7. ISO/IEC 21827: 2008 Standards Catalogue - Systems Security Engineering - Capability Maturity Model® (SSE-CMM®). International Organization for Standardization/International Electrotechnical Commission, Geneva (2008)

    Google Scholar 

  8. ISO/IEC 27034: 2011 Part 1 - Information technology - Security techniques - Application security - Overview and concepts. International Organization for Standardization/International Electrotechnical Commission, Geneva (2011)

    Google Scholar 

  9. Coughlan, P., Coghlan, D.: Action research for operations management. Int. J. Oper. Prod. Manage. 22, 220–240 (2002). doi:10.1108/01443570210417515

    Article  Google Scholar 

  10. OWASP Top 10 (Release 2013) – The Ten Most Critical Web Application Security Risks. https://www.owasp.org. Accessed 24 May 2017

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alexssander A. Siqueira .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Siqueira, A.A., Reinehr, S., Malucelli, A. (2017). Using the ISO/IEC 27034 as Reference to Develop an Application Security Control Library. In: Stolfa, J., Stolfa, S., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2017. Communications in Computer and Information Science, vol 748. Springer, Cham. https://doi.org/10.1007/978-3-319-64218-5_46

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64218-5_46

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64217-8

  • Online ISBN: 978-3-319-64218-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics