安全管理--国际信息安全技术标准发展(PPT 20页)-英文版.pptVIP

Guidelines for Application Security Reduce security problems at the application layers Eliminate common weaknesses at code and process levels Strengthen security of code base improve application security and reliability Multi-parts standards, including Code Security Certification Process Security Certification Code Security Testing and certification per major release of application Process Security Security Development Lifecycle Assure security of code from design to operation, including minor releases, patch development release Focus on Web-based applications (major problem areas) Guidelines for Application Security Specify an application security life cycle, incorporating the security activities and controls for use as part of an application life cycle, covering applications developed through internal development, external acquisition, outsourcing/offshoring1, or a hybrid of these approaches. Provide guidance to business and IT managers, developers, auditors, and end-users to ensure that the desired level of security is attained in business applications in line with the requirements of the organization’s Information Security Management Systems (ISMS). Application security addresses all aspects of security required to determine the information security requirements, and ensure adequate protection of information accessed by an application as well as to prevent unauthorized use of the application and unauthorized actions of an application. Informational security concerns in business applications are to be addressed in all phases of the application life cycle, as guided by the organization’s risk management principles and the ISMS adopted. * Guidelines for Application Security Structure (DRAFT) Part 1 – Overview, definition, concepts, and principles Part 2 – Secure Application Lifecycle Part 3 – Secure Application Architecture Part 4 – Protocols and Data Structure, Input, Processes, and Output Security Part 5 – Application Security Assurance Part 6 – N-Tiers and