Using the ISO/IEC 27034 as reference to develop an application security control library

Abstract

Secure software development allows the development of solutions considering information security aspects in the project’s scope, avoiding malicious users to attack system’s vulnerabilities. In this case, security controls must be integrated into the application’s solution design. The standard ISO/IEC 27034 provides the necessary guidance to the development of application security in any interested organization. An important standard’s concept is the Application Security Control (ASC) Library that may provide a central repository of security controls specification and design. The ASC Library can support the organization’s projects secure development considering their main characteristics and providing the necessary security controls references. This work reports an action-research developed in an international bank that adopted the ASC Library concept after reviewing its previous applications security risk assessments and identifying several missing security controls. The main contribution of this work is a process to identify, specify and document the organization security controls based on the ASC Library concept.