Abstract
Secure software development allows the development of solutions considering information security aspects in the project’s scope, avoiding malicious users to attack system’s vulnerabilities. In this case, security controls must be integrated into the application’s solution design. The standard ISO/IEC 27034 provides the necessary guidance to the development of application security in any interested organization. An important standard’s concept is the Application Security Control (ASC) Library that may provide a central repository of security controls specification and design. The ASC Library can support the organization’s projects secure development considering their main characteristics and providing the necessary security controls references. This work reports an action-research developed in an international bank that adopted the ASC Library concept after reviewing its previous applications security risk assessments and identifying several missing security controls. The main contribution of this work is a process to identify, specify and document the organization security controls based on the ASC Library concept.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ponsard, C., Massonet, P., Rifaut, A., Molderez, J.F.: Early verification and validation of mission critical systems. Formal Methods Syst. Des. 30, 233–247 (2007). doi:10.1016/j.entcs.2004.08.067
El-Attar, M.: From misuse cases to mal-activity diagrams - bridging the gap between functional security analysis and design. Softw. Syst. Model. 13, 173–190 (2014). doi:10.1007/s10270-012-0240-5
Futcher, L., Solms, R.: Guidelines for secure software development. In: Proceedings of 2008 Conference of South African Institute of Computer Scientists and Information Technologists (SAICSIT), pp. 56–65. SAICSIT in Association with ACM, Port Elizabeth, South Africa (2008). doi:10.1145/1456659.1456667
Khan, R.A., Mustafa, K.: From threat to security indexing - a causal chain. Comput. Fraud Secur. 5, 9–12 (2009). doi:10.1016/S1361-3723(09)70059-4
ISO/IEC 15408: 2009 - Information technology - Security techniques - Evaluation criteria for IT security Information technology. International Organization for Standardization/International Electrotechnical Commission, Geneva (2009)
ISO/IEC 12207: 2008 Standards Catalogue - Systems and software engineering - Software life cycle processes. International Organization for Standardization/International Electrotechnical Commission, Geneva (2008)
ISO/IEC 21827: 2008 Standards Catalogue - Systems Security Engineering - Capability Maturity Model® (SSE-CMM®). International Organization for Standardization/International Electrotechnical Commission, Geneva (2008)
ISO/IEC 27034: 2011 Part 1 - Information technology - Security techniques - Application security - Overview and concepts. International Organization for Standardization/International Electrotechnical Commission, Geneva (2011)
Coughlan, P., Coghlan, D.: Action research for operations management. Int. J. Oper. Prod. Manage. 22, 220–240 (2002). doi:10.1108/01443570210417515
OWASP Top 10 (Release 2013) – The Ten Most Critical Web Application Security Risks. https://www.owasp.org. Accessed 24 May 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Siqueira, A.A., Reinehr, S., Malucelli, A. (2017). Using the ISO/IEC 27034 as Reference to Develop an Application Security Control Library. In: Stolfa, J., Stolfa, S., O'Connor, R., Messnarz, R. (eds) Systems, Software and Services Process Improvement. EuroSPI 2017. Communications in Computer and Information Science, vol 748. Springer, Cham. https://doi.org/10.1007/978-3-319-64218-5_46
Download citation
DOI: https://doi.org/10.1007/978-3-319-64218-5_46
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64217-8
Online ISBN: 978-3-319-64218-5
eBook Packages: Computer ScienceComputer Science (R0)