Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Amazon generates
$83,000
204,000,000
messages
in online sales
40,500
users share
1. DEFINE
2. IMPLEMENT
photo messages
2,460,000
pieces of content
GOVERNANCE
Applications proliferate
Mobile applications downloaded
A1
Application Security
Governance Structures
A2
Application Security
Policies and Procedures
A3
Application Ownership
A4
A5
Application Register
A6
Application Security
Education and Training
Estimated
270
300
Billions (US$)
60
200
76.5
80
REQUIREMENTS
DESIGN
DEVELOPMENT
DEPLOYMENT
OPERATIONS
C1
Application
Security
Architecture
D1
Application
Procurement
E1
Application
Integration
F1
Application
Security Operational
Procedures
C2
Application
Security
Design
D2
Contractual
Agreements
E2
Application
Conguration
F2
Application
Identity and
Access Control
C3
Application
Threat
Modelling
D3
Application
Build
F3
Application
Change
Management
D4
Threat
Protection
F4
Application
Vulnerability
Management
D5
Application
Security Testing
F5
Security
Event Logging
F6
Application
Monitoring
F7
Incident
Management
F8
Application
Backup
F9
Application
Security Audit
40
18.6
20
2.52
6.8
2009
25
2011
22
60
2013
90
25
2015
100
2017
B1
Application
Security
Requirements
Year
The equivalent of
suered by Microsoft,
services in 2014 due to
G1
Application
Decommission
11,944 outages
Only
DISPOSAL
37%
A6
IN A NUTSHELL
WHY IT MATTERS
Investment in education and training improves security knowledge, skills and behaviours.
Provide the appropriate level of information, education and training about application risk to everyone
in the organisation.
1 BILLION
ISF RESOURCES
See the ISF Standard of Good
Practice for Information
Security, in particular
the topics CF2.2 Security
Awareness Programme,
CF2.3 Security Awareness
Messages and CF2.4 Security
Education/Training.
personal
data records were compromised in 2014
ACTIONS TO CONSIDER
of applications are
tested for vulnerabilities
4. ENHANCE
3. EVALUATE
ADDITIONAL RESOURCES
BSIMM Training overall, with the Governance
domain including activities such as educate
executives.
SAMM Training and Guidance.
Microsoft SDL, SDL Practice #1.
ISO 27034-1:2011, section A.9.1 Training.
33
WHERE NEXT?
Application Security Bringing order to chaos equips ISF Members to improve governance and risk management
across the application life cycle. It does this by:
articulating the magnitude of application risk
providing practical guidance on how organisations can overcome operational barriers with clear governance,
better communications, the right skills and actions to address immediate risk
setting out an approach that incrementally improves application risk management and embeds good practice
across application portfolios.
Central to the ISF approach for protecting applications and the information they handle is the ISF Application
Security Framework. The 27 good practice guidelines that make up the framework are aligned with the
ISF Standard of Good Practice for Information Security and a wide set of good practice including BSIMM,
ISO/IEC 27034-1:2011, Microsoft SDL and SAMM.
ISF Members will also find that this report complements the ISF Information Risk Assessment Methodology 2 (IRAM2).
The ISF encourages collaboration on its research and tools. Members are invited to join the active Application
Security group on ISF Live (https://www.isflive.org/community/process/application-security), to share their
experience and debate findings in this report. Please let other ISF Members know how you have translated the
guidelines into effective controls to improve information security across your organisations application portfolio.
The report is available free of charge to ISF Members, and can be downloaded from the ISF Member
website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin
at steve.durbin@securityforum.org.
CONTACT
For further information contact:
Steve Durbin, Managing Director
US Tel: +1 (347) 767 6772
UK Tel: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
Email: steve.durbin@securityforum.org
Web: www.securityforum.org
DISCLAIMER
This document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information
Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information
contained in this document.
1 Kaspersky Lab (2015) Carbanak APT: The great bank robbery version 2, Securelist. http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt
2 Gartner Security and Risk Summit, 23-26 June 2014, National Harbor, Maryland, USA.
Reference: ISF15 09 02 | Copyright 2015 Information Security Forum Limited | Classication: Public, no restrictions