Application security is a critical area for information security managers. This book shows you how to secure applications as part of the development and roll-out of an Information Security Management System (‘ISMS’) that conforms with ISO/IEC27001.

Chapter 1 introduces you to the international information security management standard, ISO/IEC27001:2005, and describes its relationship with other information security standards. In Chapter 2 we outline the steps to implement an ISMS that meets the specification set out in ISO27001. A critical step in the implementation is the risk assessment, and this is described in Chapter 3.

In Chapter 4 we start focusing specifically on how to deal with application security, and survey the threat landscape to applications. This is a prelude to our deep dive into application security.

The ISO27001 controls relevant to application security are introduced in Chapter 5. We discuss the objectives of each control and provide implementation guidance. The attacks on applications that necessitate such controls are covered in Chapter 6, and we discuss some of the most popular attacks with examples in this chapter.

Secure applications are the result of a well thought-out application security strategy. Chapter 7 presents the elements of such a strategy and shows how to integrate security with the traditional software development lifecycle.

Some of the most important elements of this strategy are discussed in greater depth in the rest of the book. Chapter 8 is targeted at designers and testers. It shows how to create threat profiles and how to perform security testing of applications. Chapter 9 is targeted at developers – it provides a ready-to-use coding guidelines checklist to enhance the security of applications.