Application Security Standards (ISO/IEC) 27034-1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> There are many different security considerations
00:00
when it comes to application development.
00:00
I want to talk specifically
00:00
about an application security standard,
00:00
the ISO 27034-1,
00:00
that helps to organize
00:00
security controls around applications.
00:00
In this lesson, we're going to talk about
00:00
the ISO 27034-1 standard
00:00
for secure application development.
00:00
This standard really revolves around two key documents.
00:00
Then we're going to talk about how
00:00
>> the standard documents
00:00
>> enhance secure application development.
00:00
The ISO 27034-1 standard,
00:00
ISO, as we said before,
00:00
is International Organization for Standardization.
00:00
This standard really talks about
00:00
the organization of secure application development.
00:00
The standard talks about two documents.
00:00
The first is the organizational normative framework,
00:00
referred to as the ONF.
00:00
This organizational normative framework lays out
00:00
all of the application security controls,
00:00
best practices, and principles that your organization
00:00
wants to consider when doing development activities.
00:00
The application normative framework, the ANF,
00:00
is a specific version
00:00
of the ONF for a given application,
00:00
and there's only one ONF for the whole organization.
00:00
Every single application your organization
00:00
develops or maintains needs its own ANF.
00:00
You might say, well, why is that?
00:00
Well, different applications require
00:00
different security requirements.
00:00
They may be processing
00:00
different data of different sensitivity,
00:00
or different regulatory requirements
00:00
>> involving that data.
00:00
>> Your overarching organizational ONF may
00:00
include standards around encryptions, passwords,
00:00
integrity checking, input validation,
00:00
concepts that we're going to go into
00:00
more detail later in the course.
00:00
But an individual application may include
00:00
all or just some of those critical controls.
00:00
At the high level, you have the organizational ONF,
00:00
and it maps to many ANF so there's
00:00
a one-to-many relationship and there's
00:00
a many-to-one ANF to ONF relationship.
00:00
But by maintaining this high level ONF,
00:00
your organization really can put together
00:00
all of their best practices, controls,
00:00
and regulatory requirements in
00:00
one standard framework that helps them understand
00:00
and make sure that they are tailoring
00:00
>> their applications
00:00
>> to the needs for privacy and security.
00:00
Quiz question, ONF to
00:00
ANF relationship is which of the following?
00:00
One-to-one, two-to-one, one-to-many.
00:00
If you said one-to-many, you're correct.
00:00
The organization needs
00:00
an overarching organizational normative framework.
00:00
Then each application needs
00:00
its own application normative framework to lay out
00:00
this specific security controls and
00:00
requirements that govern that application.
00:00
In summary, we covered
00:00
the ISO 27034-1 standard
00:00
for secure application development.
00:00
We talked about the use of
00:00
an organizational normative framework to
00:00
lay out the high level security controls
00:00
regarding application developed for the organization.
00:00
Then how individual applications
00:00
need their own application normative framework that
00:00
highlights the importance of the security controls
00:00
that are relevant to that
00:00
application and its development.
00:00
I'll see you in the next lesson.
Up Next