IT Compliance Articles A Survey of Application Security in Current International Standards
|
This article will survey some of the US and international standards used to understand the risks and controls associated with computer application security. With all the emphasis on network security in recent years, the critical area of application security may not be receiving adequate attention. Consider that once networks are secure from internal and external threats, an equal or greater risk may be associated with critical software applications. Examples of such critical applications are enterprise resource planning (ERP), customer relationship management (CRM), online banking, financial accounting and manufacturing applications. Various security standards address the key components of application security, including confidentiality, integrity and availability. Some specific security areas are emphasized in the standards, such as access controls, development life cycle and cryptographic controls. This article will survey some of the US and international standards used to understand the risks and controls associated with computer application security. With all the emphasis on network security in recent years, the critical area of application security may not be receiving adequate attention. Consider that once networks are secure from internal and external threats, an equal or greater risk may be associated with critical software applications. Examples of such critical applications are enterprise resource planning (ERP), customer relationship management (CRM), online banking, financial accounting and manufacturing applications. Various security standards address the key components of application security, including confidentiality, integrity and availability. Some specific security areas are emphasized in the standards, such as access controls, development life cycle and cryptographic controls. Application security can be defined as the set of security mechanisms around an application that protect its confidentiality, integrity and availability. Applications in the modern production environment, however, do not operate in a vacuum. Business process analysis is used to understand the role and operation of an application. Risk management is important to direct and allocate security resources to higher-risk areas. All of the above are necessary for a holistic approach to application security. This survey will discuss the following standards and documents: ISO 17799, ISO 15408, COBIT, SP800-14, SP800-27 and SAS94. These are widely used and respected standards and documents published by recognized organizations and government agencies. This is not a comprehensive survey of all standards in circulation and there is inevitably some bias in this selection of standards based on the professional experience of this author. The standards in table 1 and the following text compare application security, objectives and key components. [Read More]
Set as favorite
Bookmark
Email this
Hits: 3844 Trackback(0)Comments (0)
|
TrackBack URI for this entry
Subscribe to this comment's feed