ISO27k application security standard

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.