欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    BS ISO IEC 27034-6-2016 Information technology Security techniques Application security Case studies《信息技术 安全技术 应用安全 案例研究》.pdf

    • 资源ID:396692       资源大小:2MB        全文页数:82页
    • 资源格式: PDF        下载积分:10000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要10000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    BS ISO IEC 27034-6-2016 Information technology Security techniques Application security Case studies《信息技术 安全技术 应用安全 案例研究》.pdf

    1、BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06 Information technology Security techniques Application security Part 6: Case studies BS ISO/IEC 270346:2016Information technology Security techniques Application security Part 6: Case studies Technologies de linformat

    2、ion Techniques de scurit Scurit des applications Partie 6: tudes de cas INTERNATIONAL STANDARD ISO/IEC 27034-6 Reference number ISO/IEC 27034-6:2016(E) First edition 2016-10-01 ISO/IEC 2016 National foreword This British Standard is the UK implementation of ISO/IEC 270346:2016. The UK participation

    3、in its preparation was entrusted by Technical Committee IST/33, IT Security techniques, to Subcommittee IST/33/4, Security Controls and Services. A list of organizations represented on this subcommittee can be obtained on request to its secretary. This publication does not purport to include all the

    4、 necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016 Published by BSI Standards Limited 2016 ISBN 978 0 580 80086 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Stan

    5、dard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD BS ISO/IEC 270346:2016Information technology Security techniques Application security Part 6: Case studies Tec

    6、hnologies de linformation Techniques de scurit Scurit des applications Partie 6: tudes de cas INTERNATIONAL STANDARD ISO/IEC 27034-6 Reference number ISO/IEC 27034-6:2016(E) First edition 2016-10-01 ISO/IEC 2016 BS ISO/IEC 270346:2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT

    7、ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written

    8、permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27034

    9、-6:2016(E) BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Abbreviated terms 1 5 S ecurity guidanc e for specific applications 1 5.1 General . 1 5.2 ASC example: Java code revision for mobile applications 2

    10、5.2.1 General 2 5.2.2 Purpose 2 5.2.3 Context 2 5.2.4 ORGANIsation Information classification guidelines . 2 5.2.5 Levels of trust included in the ORGANIsation ASC Library . 2 5.2.6 Outcome 3 5.2.7 ORGANIsation stakeholders involved in these ASCs . 4 5.2.8 Descriptions of sample ASCs . 6 5.3 Case st

    11、udy: Developing ASCs to address the issue of privacy for two countries 19 5.3.1 General.19 5.3.2 Purpose .19 5.3.3 Context .19 5.4 Case study: Integration of third-party ASCs .21 5.4.1 General.21 5.4.2 Purpose .21 5.4.3 Context .21 5.5 Case study: Using the ASLCRM to facilitate implementation of ASC

    12、s by different development groups inside an organization 24 5.5.1 General.24 5.5.2 Purpose .24 5.5.3 Context .24 5.6 Case study: Implementation of third-party ASCs in a secure development life cycle process 26 5.6.1 General.26 5.6.2 Purpose .26 5.6.3 Context .26 5.6.4 Preparation phase (1.00) .27 5.

    13、6.5 Requirements phase (2.00) .30 5.6.6 Design phase (3.00) . .31 5.6.7 Implementation phase (4.00) 34 5.6.8 Verification phase (5.00)36 5.6.9 Release phase (6.00)37 5.6.10 Sustainment, support and servicing phase (7.00) .38 Annex A (informative) XML examples for case studies in 5.2 41 Bibliography

    14、.70 ISO/IEC 2016 All rights reserved iii Contents Page BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies t

    15、hat are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other inter

    16、national organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its

    17、 further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directiv

    18、es). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be i

    19、n the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions

    20、related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information tec

    21、hnology, SC 27, IT Security techniques. A list of all parts in the ISO/IEC 27034 series can be found on the ISO website.iv ISO/IEC 2016 All rights reserved BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Introduction 0.1 General There is an increasing need for organizations to focus on protecting the

    22、ir information at the application level. A systematic approach towards increasing the level of application security provides an organization with evidence that information being used or stored by its applications is being adequately protected. ISO/IEC 27034 (all parts) provides concepts, principles,

    23、 frameworks, components and processes to assist organizations in integrating security seamlessly throughout the life cycle of their applications. The application security control (ASC) is one of the key components of this document. To facilitate the implementation of ISO/IEC 27034 (all parts) applic

    24、ation security framework and the communication and exchange of ASCs, a formal structure should be defined for representing ASCs and certain other components of the framework. 0.2 Purpose The purpose of this document is to provide examples of security guidance for organizations to acquire, develop, o

    25、utsource and manage security for their specific applications through their life cycle. 0.3 Targeted Audiences 0.3.1 General The following audiences will find values and benefits when carrying their designated organizational roles: a) domain experts. 0.3.2 Domain experts Domain experts contributing k

    26、nowledge in application provisioning, operating or auditing, who need to a) participate in ASC development, validation and verification, b) participate in ASC implementation and maintenance, by proposing strategies, components and implementation processes for adapting ASCs to the organizations conte

    27、xt, and c) validate that ASCs are useable and useful in application projects. ISO/IEC 2016 All rights reserved v BS ISO/IEC 270346:2016BS ISO/IEC 270346:2016 Information technology Security techniques Application security Part 6: Case studies 1 Scope This document provides usage examples of ASCs for

    28、 specific applications. NOTE Herein specified ASCs are provided for explanation purposes only and the audience is encouraged to create their own ASCs to assure the application security. 2 Normative references There are no normative references cited in this document. 3 T erms a nd definiti ons For th

    29、e purposes of this document, the terms and definitions given in ISO/IEC 27034-1 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /

    30、www.iso.org/obp 4 Abbreviated terms ASC application security control ASLC application security life cycle ASLCRM application security life cycle reference model ONF organization normative framework 5 S ecurity guidanc e for specific applicatio ns 5.1 General Guidelines play an important role for com

    31、panies trying to implement any best practice or ISO standard because they instruct how to institutionalize the practices or rules and, sometimes, the guidance is based on common examples. Companies benefit from this guidance as it demonstrates, as a practical example, how to structure ASCs for speci

    32、fic applications using the recommended XML data structure defined in ISO/IEC 27034-5-1 and for the implementation of the Organizational Normative Framework. INTERNATIONAL ST ANDARD ISO/IEC 27034-6:2016(E) ISO/IEC 2016 All rights reserved 1 BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) 5.2 ASC examp

    33、le: Java code revision for mobile applications 5.2.1 General Code review seams trivial but when an application is built from thousands of lines of code, it may be unproductive and/or too expensive to revise everything. This example presents an ASC designed by a fictive organization called ORGANIsati

    34、on Inc. This ASC implements the security activity of code review. 5.2.2 Purpose The purpose of 5.2 is to provide an intuitive description of an example ASC named “Code Review” for an organization developing Java mobile applications. For the sake of brevity and readability, a simplified subset of the

    35、 ASC is presented in English only (language=”EN”), but the ASC requirements defined in ISO/IEC 27034-5 allows any object in an ASC to be described in any characters sets, as presented by the Table A.1. 5.2.3 Context ORGANIsation Inc. is an international organization developing Java mobile applicatio

    36、ns for its own use and on behalf of its clients. ORGANIsation software development offices are located in Montreal, Vancouver and Moscow. For this reason, ORGANIsations policy is that any development documentation, guideline or training should be available in English, French and Russian languages. O

    37、RGANIsations implementation strategy for ISO/IEC 27034 (all parts) prioritizes the design of ASCs for reducing security vulnerabilities in Java mobile code. The ORGANIsation ONF committee mandates the Application Security Department (ASD) to design and submit Java code review ASCs. 5.2.4 OR G ANIsat

    38、ion Information classification gu idelines ORGANIsation utilizes approved internal classification guidelines for classifying the information into four levels: a) restricted; b) confidential; c) secret; d) top secret. 5.2.5 Levels of trust included in the ORGANIsation ASC Library ORGANIsation had pre

    39、viously conducted an organization-wide security risk assessment, for the purpose of which it divided its applications into six categories according to their impact on organizational risk. Following this, domain experts mandated by the ONF committee decided to use those six categories as a template f

    40、or defining ORGANIsations application levels of trust. An informal definition along with a descriptive label for each level of trust is given in Table 1.2 ISO/IEC 2016 All rights reserved BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E) Table 1 ORGANIsations application levels of trust Level of trust

    41、Name Description 0 Baseline All ORGANIsations applications shall comply with this Level of Trust. 1 Isolated Local network only This Level of Trust is appropriate for applications used on isolated corporate networks, with no connection to external networks. 2 Low Internet, public information only Th

    42、is Level of Trust is appropriate for Internet-facing applications sharing public information without any privacy concern. 3 Medium Internet, corpo- rate users This Level of Trust is appropriate for Internet-facing, transactional applications used by corporate users, allowing access to corporate serv

    43、ices, user files and/or transactions under $5 000. 4 High Secure transactions and privacy protection over Internet This Level of Trust is appropriate for Internet-facing, transactional applications, used by corporate users, allowing access to user pri- vate information and/or transactions from $5 00

    44、0 to $25 000. 5 Private This Level of Trust is appropriate for transactional applications requiring highly secure transactions, privileged access and/or se- cure critical storage. Access to critical information and/or transac- tions over $25 000 is authorized. 5.2.6 Outcome The application security

    45、department was mandate to select and acquire an automatic source code review tool suitable for the Java language, with user-configurable review rules. After analysis of vendor propositions, the department selected a tool named “Efficient-Reviewer version 2.2”. At the end of this project, version 1.0

    46、 of five ASCs were developed and implemented. Table 2 ORGANIsations ASCs for code review ID Name Level of trust Description ORGANIsa- tion-ASD-042 Code Review Baseline Isolated Local network only This ASC is used to help developers to perform a code review control for JAVA applications. Low Internet

    47、, public information only Medium Internet, corporate users High Secure transactions and privacy protection over Internet Private ORGANIsa- tion-ASD-043 Code Classification Baseline Isolated Local network only Classify all Java classes in the packages needed by the application. Low Internet, public i

    48、nformation only Medium Internet, corporate users Any class should inherit its classification from the highest-classi- fied information it processes. High Secure transactions and privacy protection over Internet Private ISO/IEC 2016 All rights reserved 3 BS ISO/IEC 270346:2016 ISO/IEC 27034-6:2016(E)

    49、 ID Name Level of trust Description ORGANIsa- tion-ASD-044 Basic Automatic Code Review Baseline Isolated Local network only Low Internet, public information only This ASC is used to help developers to implement a code review control for Java applications by providing an automatic source code security review process for Java classes classified as “Strate- gic” and “Critical”. ORGANIsa- tion-ASD-045 Advanced Automatic Code R


    注意事项

    本文(BS ISO IEC 27034-6-2016 Information technology Security techniques Application security Case studies《信息技术 安全技术 应用安全 案例研究》.pdf)为本站会员(ideacase155)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开