Attacks on applications are among the most costly incidents organisations can face. One coordinated attack reportedly stole US$1 billion from 50 different companies.1

As the information explosion continues, applications are proliferating and becoming increasingly diverse – moving from mainframes and servers to clouds, smartphones, wearables and other devices. The ability to create applications, once exclusive to vendors and in-house programmers, is now commonplace.

Modern applications are written in multiple languages and run on myriad devices. Organisations no longer have the luxury of managing a handful of applications. Today’s portfolios contain thousands of diverse applications that complicate lines of responsibility and introduce unknown risk.

Complex application portfolios provide fertile ground for a growing number of vulnerabilities. Attackers know that vulnerable applications open doors into organisations’ protected systems and most valuable information: more than two thirds of attacks are targeted at applications.2 Organisations that do not secure their applications present themselves as easy targets.

Good practice to reduce the risk of attacks is available, and it works. But application risk needs to be governed effectively, otherwise good practice will be applied inconsistently across the application life cycle, leaving risk unmanaged.

The ISF Application Security Framework has been developed to help organisations improve security at all stages of the application life cycle. The framework is a structured and comprehensive set of 27 good practice guidelines, derived from leading practice, expert input, standards and other guidance. The framework is supported by an iterative approach that ISF Members can use to address immediate risk and incrementally improve information security across their application portfolios.

Bringing order to chaosAPPLICATION SECURITY

APPLICATION SECURITY – Bringing order to chaosHOW SHOULD ORGANISATIONS RESPOND TO INCREASING APPLICATION RISK?

By performing successive iterations of the improvement cycle shown below to: – address immediate application risk– incrementally improve the security of their application portfolios.

2. IMPLEMENTExecute the plan to implement good practice and address the identified gaps.

4. ENHANCEIdentify and incorporate lessons learned to enable sustainable improvements.

Determine the extent to which improvements were effective. Remediate if necessary.

3. EVALUATE

1. DEFINEFor a specific group of applications, assess current practice against the framework to determine gaps. Create and agree an implementation plan.

THE ISF APPLICATION SECURITY FRAMEWORK

ApplicationSecurityRequirements

Application Security Architecture

ApplicationIntegration

ApplicationConfiguration

ApplicationDecommission

GOVERNANCE

Application Risk Management

B1 C1

C2

C3

D1 Application Procurement

D2

Application BuildD3

Threat ProtectionD4

Application Security TestingD5

E1

E2

G1Application Security OperationalProcedures

F1

F2

F3

F4

F5

F6

F7

F8

Application SecurityDesign

Application ThreatModelling

Contractual Agreements

ApplicationVulnerabilityManagement

SecurityEvent Logging

Application Monitoring

Incident Management

ApplicationBackup

Application Change Management

Application Security Audit

Application Identity andAccess Control

F9

A4

REQUIREMENTS DESIGN DEVELOPMENT OPERATIONS DISPOSALDEPLOYMENT

Application Security Governance StructuresA1 Application Security

Policies and Procedures Application Ownership

Application Register Application Security Education and Training

A2

A5

A3

A6

Information Security Forum 33Application Security: Bringing order to chaos

IN A NUTSHELLProvide the appropriate level of information, education and training about application risk to everyone in the organisation.

WHY IT MATTERS Investment in education and training improves security knowledge, skills and behaviours.

ACTIONS TO CONSIDER

1 Engage with senior management to inform them of the nature of application risk and the potential business impact.

2 Maintain a programme that provides targeted education and training for stakeholders according to their roles and responsibilities (e.g., risk for application owners and users, security requirements for procurement teams and secure coding practices for developers).

3 Focus education and training on application risk and how to minimise it. Use topics such as:

i frequency and impact of incidents

ii common threat events to applications

iii application security policies and procedures

iv personal responsibility for adhering to policies and procedures (e.g., keeping to secure coding practice, not compromising security requirements in contracts, not letting unauthorised people see application information, not sharing passwords and not using unauthorised applications)

v particular security features in applications.

4 Update education and training as threats emerge, security practices change and development techniques evolve.

5 Monitor and evaluate how effective education and training is, and use the results to improve it.

Hints and Tips• Integrate education and training with the organisation’s security

awareness programmes.

ISF RESOURCES

See the ISF Standard of Good Practice for Information Security, in particular the topics CF2.2 Security Awareness Programme, CF2.3 Security Awareness Messages and CF2.4 Security Education/Training.

Application Security Education and TrainingA6

See the ISF report From Promoting Awareness to Embedding Behaviours: Secure by choice, not by chance, which provides guidance on how to set up and implement awareness and training courses according to role and responsibility.

ADDITIONAL RESOURCES

• BSIMM Training overall, with the Governance domain including activities such as “educate executives”.

• SAMM Training and Guidance.• Microsoft SDL, SDL Practice #1.• ISO 27034-1:2011, section A.9.1 Training.

1 2 3 4 5 6 7

ABOUT THIS REPORT This report describes how application risk is increasing and why managing the risk is now critical, given the impacts organisations are experiencing and their reliance on applications. It highlights a number of areas that ISF research found to be particularly important in overcoming the barriers to effective application governance and risk management. Leading CISOs ensure clear governance structures are in place. They communicate across multiple organisational levels, allowing stakeholders to visualise responsibilities clearly and understand the true extent of the risk. They facilitate skills development for those who need it, in particular application teams and risk managers.

The ISF Application Security Framework, shown on the left, is the centre of the ISF approach to addressing application risk. This structured and comprehensive set of 27 good practice guidelines, shown below, is aligned with the ISF Standard of Good Practice for Information Security and will help organisations improve governance and risk management across the application life cycle.

photo messages

Information volumes explode

Every minute...

Facebookusers share

2,460,000pieces of content

Emailusers sendAmazon generates

204,000,000messages

$83,000in online sales

40,500are sent using Snapchat (as of Jul 2014)

Mobile applications downloaded

US$ earned by mobile app providers

2.5225

270

6.8

18.6

76.5

0

20

40

60

80

2009 2011 2013 20170

100

200

300

Year

Estimated

$

2015

Billi

ons (

US$

)

Billi

ons (

Apps

dow

nloa

ded)

2590

60

22

Applications proliferate

Organisations are not keeping up

The equivalent of 106 YEARS of downtime was

services in 2014 due to 11,944 outages

suffered by Microsoft, Yahoo! and Google

of applications are tested for vulnerabilities (as of Nov 2014)

37%Only

Sources: Jack Taylor, ViralNova, Statista, NCC, Veracode, Gemalto

1 BILLION personal data records were compromised in 2014

WHERE NEXT?

ABOUT THE ISFFounded in 1989, the Informati on Security Forum (ISF) is an independent, not-for-profi t associati on of leading organisati ons from around the world. It is dedicated to investi gati ng, clarifying and resolving key issues in cyber, informati on security and risk management by developing best practi ce methodologies, processes and soluti ons that meet the business needs of its Members.

ISF Members benefi t from harnessing and sharing in-depth knowledge and practi cal experience drawn from within their organisati ons and developed through an extensive research and work programme. The ISF provides a confi denti al forum and framework, which ensures that Members adopt leading-edge informati on security strategies and soluti ons. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general informati on only. It is not intended to provide advice of any kind. Neither the Informati on Security Forum nor the Informati on Security Forum Limited accept any responsibility for the consequences of any use you make of the informati on contained in this document.

Reference: ISF15 09 02 | Copyright © 2015 Informati on Security Forum Limited | Classifi cati on: Public, no restricti ons

CONTACTFor further informati on contact:

Steve Durbin, Managing DirectorUS Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

Applicati on Security – Bringing order to chaos equips ISF Members to improve governance and risk management across the applicati on life cycle. It does this by:

– articulating the magnitude of application risk

– providing practical guidance on how organisations can overcome operational barriers with clear governance, better communications, the right skills and actions to address immediate risk

– setting out an approach that incrementally improves application risk management and embeds good practice across application portfolios.

Central to the ISF approach for protecting applications and the information they handle is the ISF Application Security Framework. The 27 good practice guidelines that make up the framework are aligned with the ISF Standard of Good Practice for Information Security and a wide set of good practice including BSIMM, ISO/IEC 27034-1:2011, Microsoft SDL and SAMM.

ISF Members will also find that this report complements the ISF Information Risk Assessment Methodology 2 (IRAM2).

The ISF encourages collaboration on its research and tools. Members are invited to join the active Application Security group on ISF Live (https://www.isflive.org/community/process/application-security), to share their experience and debate findings in this report. Please let other ISF Members know how you have translated the guidelines into effective controls to improve information security across your organisation’s application portfolio.

The report is available free of charge to ISF Members, and can be downloaded from the ISF Member website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin at steve.durbin@securityforum.org.

1 Kaspersky Lab (2015) Carbanak APT: The great bank robbery version 2, Securelist. http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt2 Gartner Security and Risk Summit, 23-26 June 2014, National Harbor, Maryland, USA.