APPLICATION SECURITY

Bringing order to chaos

Attacks on applications are among the most costly incidents organisations can face. One coordinated attack
reportedly stole US$1 billion from 50 different companies.1
As the information explosion continues, applications are proliferating and becoming increasingly diverse moving from mainframes
and servers to clouds, smartphones, wearables and other devices. The ability to create applications, once exclusive to vendors and
in-house programmers, is now commonplace.
Modern applications are written in multiple languages and run on myriad devices. Organisations no longer have the luxury
of managing a handful of applications. Todays portfolios contain thousands of diverse applications that complicate lines of
responsibility and introduce unknown risk.
Complex application portfolios provide fertile ground for a growing number of vulnerabilities. Attackers know that vulnerable
applications open doors into organisations protected systems and most valuable information: more than two thirds of attacks
are targeted at applications.2 Organisations that do not secure their applications present themselves as easy targets.
Good practice to reduce the risk of attacks is available, and it works. But application risk needs to be governed effectively,
otherwise good practice will be applied inconsistently across the application life cycle, leaving risk unmanaged.
The ISF Application Security Framework has been developed to help organisations improve security at all stages of the application
life cycle. The framework is a structured and comprehensive set of 27 good practice guidelines, derived from leading practice,
expert input, standards and other guidance. The framework is supported by an iterative approach that ISF Members can use
to address immediate risk and incrementally improve information security across their application portfolios.

APPLICATION SECURITY Bringing order to chaos

HOW SHOULD ORGANISATIONS RESPOND TO INCREASING APPLICATION RISK?

Information volumes explode

Every minute...
Email
users send

Amazon generates

$83,000

ABOUT THIS REPORT

By performing successive iterations of the improvement cycle shown below to:

address immediate application risk
incrementally improve the security of their application portfolios.

204,000,000
messages

in online sales

40,500

Facebook

users share

1. DEFINE

2. IMPLEMENT

For a specic group of applications, assess current

practice against the framework to determine gaps.
Create and agree an implementation plan.

Execute the plan to implement good practice

and address the identied gaps.

photo messages

2,460,000

are sent using Snapchat

pieces of content

THE ISF APPLICATION SECURITY FRAMEWORK

(as of Jul 2014)

GOVERNANCE

Applications proliferate
Mobile applications downloaded

US$ earned by mobile app providers

A1

Application Security
Governance Structures

A2

Application Security
Policies and Procedures

A3

Application Ownership

A4

Application Risk Management

A5

Application Register

A6

Application Security
Education and Training

Estimated
270

300

Billions (US$)

60
200

Billions (Apps downloaded)

76.5

80

REQUIREMENTS

DESIGN

DEVELOPMENT

DEPLOYMENT

OPERATIONS

C1

Application
Security
Architecture

D1

Application
Procurement

E1

Application
Integration

F1

Application
Security Operational
Procedures

C2

Application
Security
Design

D2

Contractual
Agreements

E2

Application
Conguration

F2

Application
Identity and
Access Control

C3

Application
Threat
Modelling

D3

Application
Build

F3

Application
Change
Management

Organisations are not keeping up

D4

Threat
Protection

F4

Application
Vulnerability
Management

106 YEARS of downtime was

D5

Application
Security Testing

F5

Security
Event Logging

F6

Application
Monitoring

F7

Incident
Management

F8

Application
Backup

F9

Application
Security Audit

40
18.6

20
2.52

6.8

2009

25

2011

22
60

2013

90

25

2015

100

2017

B1

Application
Security
Requirements

Year

The equivalent of

suered by Microsoft,
services in 2014 due to

Yahoo! and Google

G1

Application
Decommission

The ISF Application Security Framework,

shown on the left, is the centre of the ISF
approach to addressing application risk. This
structured and comprehensive set of 27 good
practice guidelines, shown below, is aligned
with the ISF Standard of Good Practice
for Information Security and will help
organisations improve governance and risk
management across the application life cycle.

11,944 outages
Only

DISPOSAL

This report describes how application risk

is increasing and why managing the risk is
now critical, given the impacts organisations
are experiencing and their reliance on
applications. It highlights a number of areas
that ISF research found to be particularly
important in overcoming the barriers to
effective application governance and risk
management. Leading CISOs ensure clear
governance structures are in place. They
communicate across multiple organisational
levels, allowing stakeholders to visualise
responsibilities clearly and understand
the true extent of the risk. They facilitate
skills development for those who need it,
in particular application teams and risk
managers.

37%

A6

IN A NUTSHELL

WHY IT MATTERS

Investment in education and training improves security knowledge, skills and behaviours.

1 Engage with senior management to inform them of the nature

of application risk and the potential business impact.
2 Maintain a programme that provides targeted education and
training for stakeholders according to their roles and responsibilities
(e.g., risk for application owners and users, security requirements
for procurement teams and secure coding practices for developers).

frequency and impact of incidents

ii common threat events to applications

iii application security policies and procedures
iv personal responsibility for adhering to policies and procedures
(e.g., keeping to secure coding practice, not compromising
security requirements in contracts, not letting unauthorised
people see application information, not sharing passwords
and not using unauthorised applications)
v particular security features in applications.

5 Monitor and evaluate how effective education and training is,

and use the results to improve it.

Sources: Jack Taylor, ViralNova, Statista, NCC, Veracode, Gemalto

Provide the appropriate level of information, education and training about application risk to everyone
in the organisation.

4 Update education and training as threats emerge, security

practices change and development techniques evolve.

1 BILLION

ISF RESOURCES
See the ISF Standard of Good
Practice for Information
Security, in particular
the topics CF2.2 Security
Awareness Programme,
CF2.3 Security Awareness
Messages and CF2.4 Security
Education/Training.

3 Focus education and training on application risk and how to

minimise it. Use topics such as:

(as of Nov 2014)

personal
data records were compromised in 2014

Application Security Education and Training

ACTIONS TO CONSIDER

of applications are
tested for vulnerabilities

Hints and Tips

Integrate education and training with the organisations security
awareness programmes.

4. ENHANCE

3. EVALUATE

Identify and incorporate lessons learned

to enable sustainable improvements.

Determine the extent to which improvements

were eective. Remediate if necessary.

Information Security Forum

See the ISF report From

Promoting Awareness to
Embedding Behaviours:
Secure by choice, not by
chance, which provides
guidance on how to set up
and implement awareness
and training courses according
to role and responsibility.

ADDITIONAL RESOURCES
BSIMM Training overall, with the Governance
domain including activities such as educate
executives.
SAMM Training and Guidance.
Microsoft SDL, SDL Practice #1.
ISO 27034-1:2011, section A.9.1 Training.

Application Security: Bringing order to chaos

33

WHERE NEXT?
Application Security Bringing order to chaos equips ISF Members to improve governance and risk management
across the application life cycle. It does this by:
articulating the magnitude of application risk
providing practical guidance on how organisations can overcome operational barriers with clear governance,
better communications, the right skills and actions to address immediate risk
setting out an approach that incrementally improves application risk management and embeds good practice
across application portfolios.
Central to the ISF approach for protecting applications and the information they handle is the ISF Application
Security Framework. The 27 good practice guidelines that make up the framework are aligned with the
ISF Standard of Good Practice for Information Security and a wide set of good practice including BSIMM,
ISO/IEC 27034-1:2011, Microsoft SDL and SAMM.
ISF Members will also find that this report complements the ISF Information Risk Assessment Methodology 2 (IRAM2).
The ISF encourages collaboration on its research and tools. Members are invited to join the active Application
Security group on ISF Live (https://www.isflive.org/community/process/application-security), to share their
experience and debate findings in this report. Please let other ISF Members know how you have translated the
guidelines into effective controls to improve information security across your organisations application portfolio.
The report is available free of charge to ISF Members, and can be downloaded from the ISF Member
website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin
at steve.durbin@securityforum.org.

CONTACT
For further information contact:
Steve Durbin, Managing Director
US Tel: +1 (347) 767 6772
UK Tel: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
Email: steve.durbin@securityforum.org
Web: www.securityforum.org

ABOUT THE ISF

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-prot association of leading organisations from around the
world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best
practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benet from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and
developed through an extensive research and work programme. The ISF provides a condential forum and framework, which ensures that
Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure
required to reach the same goals on their own.

DISCLAIMER
This document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information
Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information
contained in this document.

1 Kaspersky Lab (2015) Carbanak APT: The great bank robbery version 2, Securelist. http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt
2 Gartner Security and Risk Summit, 23-26 June 2014, National Harbor, Maryland, USA.

Reference: ISF15 09 02 | Copyright 2015 Information Security Forum Limited | Classication: Public, no restrictions