Securing Digital Applications

Similar documents
New International Health and Safety Standard ISO 45001

BSI Group. Andy Butterfield Global Head of Construction. Copyright 2015 BSI. All rights reserved.

BSI BIM Solutions. Copyright 2016 BSI. All rights reserved.

An Overview of ISO/IEC family of Information Security Management System Standards

Information Security Exchange

Spillemyndigheden s Certification Programme. Instructions on Penetration Testing SCP EN.1.1

Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Data Sheet The PCI DSS

Global Wind Organisation CRITERIA FOR THE CERTIFICATION BODY

Driving Global Resilience

PROTERRA CERTIFICATION PROTOCOL V2.2

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

,000+ What is the BCI Corporate Partnership? What are the benefits of becoming a Corporate Partner? Levels of Partnership

SOC for cybersecurity

Laboratory Accreditation Building Confidence on Testing Quality

Introduction to ISO/IEC 27001:2005

La certificazione ISO27001

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

An Introduction to the ISO Security Standards

Cyber Security - Information Security & Testing

ISO/ IEC (ITSM) Certification Roadmap

SERVICE DESCRIPTION ISO Lex. Certifications

Build confidence in the cloud Best practice frameworks for cloud security

Introduction to Standards Development

Global Security Consulting Services, compliancy and risk asessment services

V Conference on Application Security and Modern Technologies

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Penetration testing.

Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

PART IV GLOSSARY OF TERMS

International Laboratory Accreditation Cooperation. The ILAC Mutual Recognition Arrangement. global trust. Testing Calibration Inspection

Audit Report. Chartered Management Institute (CMI)

PECB Change Log Form

IECEx Guide Guidance for Applications from Service Facilities seeking IECEx Certification

Implementation of INFCIRC 901: Promoting Certification, Quality Management and Sustainability of Nuclear Security Training

What is ISO ISMS? Business Beam

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Accreditation: Assuring Competence

Verso ilnuovostandard ISO (BS25999) sullabusiness Continuity Scenari e opportunità

Professional Services Overview

Audit Report. The Prince s Trust. 27 September 2017

Global Wind Organisation CRITERIA S FOR THE CERTIFICATION BODY

WELCOME ISO/IEC 27001:2017 Information Briefing

Google Cloud & the General Data Protection Regulation (GDPR)

With the successful completion of this course the participant will be able to:

Green Squared Certification Manual

Advent IM Ltd ISO/IEC 27001:2013 vs

DEMO OF ISO/IEC 17025:2017 AWARENESS AND AUDITOR TRAINING PPT PRESENTATION KIT

Criteria for Temporary License as Merit Assessor

UKAS accredited Certification Bodies

Effective Strategies for Managing Cybersecurity Risks

EXAM PREPARATION GUIDE

IMPLEMENTATION COURSE (MODULE 1) (ISO 9001:2008 AVAILABLE ON REQUEST)

SDLC Maturity Models

EXAM PREPARATION GUIDE

POSITION DESCRIPTION

What every IT professional needs to know about penetration tests

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

CHARTER OUR MISSION OUR OBJECTIVES OUR GUIDING PRINCIPLES

Personnel Certification Program

Qualification Specification for the Knowledge Modules that form part of the BCS Level 4 Software Developer Apprenticeship

ISO Standards & Certification

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

PRESENTATION OVERVIEW

Institute of Certified Forensic Accountants. Certificate in Internal Auditing

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

EXAM PREPARATION GUIDE

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

ISO 9001 Auditing Practices Group Guidance on:

The Fu ture of Australian & New Zealand Security Standard AS/NZS 4444?

Joint ITU-UNIDO Forum on Sustainable Conformity Assessment for Asia-Pacific Region (Yangon City, Republic of Union of Myanmar November 2013)

University of Sunderland Business Assurance PCI Security Policy

ISO27001:2013 The New Standard Revised Edition

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

Level 3 Award in Introduction to Crime Prevention

Level Access Information Security Policy

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

Scheme Document SD 003

LL-C (Certification) Services Overview

THE TRUSTED NETWORK POWERING GLOBAL SUPPLY CHAINS AND THEIR COMMUNITIES APPROVED EDUCATION PROVIDER INFORMATION PACK

Predstavenie štandardu ISO/IEC 27005

Workshop IT Star IT Security Professional Positioning and Monitoring: e-cfplus support

South African Forestry Assurance Scheme SAFAS 6:2018. Certification and Accreditation Procedures. Issue SAFAS Council SAFAS

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Software Quality Assurance Text and Readings

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

C106: DEMO OF THE INFORMATION SECURITY MANAGEMENT SYSTEM - ISO: 27001:2005 AWARENESS TRAINING PRESENTATION KIT

What is ISO/IEC 27001?

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Scheme Document. For more information or help with your application contact BRE Global on +44 (0) or

Methods for Testing the Performance of Local Exhaust Ventilation Systems Course Specification

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

EAL Level 3 Award In Approving Electrical Installation Work in Dwellings in Compliance with Building Regulations (QCF)

IAF Informative Document. Information on the Transition of Management System Accreditation to ISO/IEC :2015 from ISO/IEC 17021:2011

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Defining FM Excellence

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

Transcription:

Securing Digital Applications Chris Lewis: Certification Director

Agenda The problem and solution The Kitemark and how it works ISO/IEC 27001 (Information Security Management Standard) OWASP ASVS v2 CVSS (Common Vulnerability Scoring System) Steps to achieve Kitemark Who is BSI Kitemark gives consumers Trust 2

The problem 4 billion is processed every single month over smartphones How can banks and application owners prevent fraud How can banks protect their reputation Security at the forefront for banks and customers alike How can customers trust the applications they are using 3

A solution Kitemark for Secure digital transactions Providing a dynamic and systematic response to vulnerabilities which reduces reputational issues for financial institutions and provides trust to customers through the Kitemark Developed with Barclays and Gotham Digital Sciences (GDS) 4

How does the Kitemark Work BSI Kitemark scheme has been written that will enable applications to be independently assessed. The assessment process will assess: 1. The clients ISO 27001 scope covers the application and its environment 2. The application is tested against OWASP (Open Web Application Security Project) standard ASVS V2.0 (Application Security Verification Standard) 5

ISO/IEC 27001: Information technology Security techniques-information Security Management Systems ISO/IEC 27001 is an internationally recognized best practice framework for an information security management system. It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. Plan, Do, Check, Act Standard which drives continuous improvement 6

Contents of ISO/IEC 27001 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement Annex A Reference control objectives and controls 7

What are the benefits of ISO/IEC 27001 Information Security Management? Identify risks and put controls in place to manage or reduce them Flexibility to adapt controls to all or selected areas of your business Gain stakeholder and customer trust that their data is protected Demonstrate compliance and gain status as preferred supplier Meet more tender expectations by demonstrating compliance Assessment performed by a BSI Assessor who is competent 8

Penetration Testing Consists of both Black Box and White Box testing Uses OWASP ASVS v2 (Open Web Application Security Project: Application Security Verification Standard) Uses CVSS (Common Vulnerability Scoring System) to calculate result. Penetration Testing is led by a Tester qualified as a CREST 10000 hour tester (CCT) 9

CREST CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry CREST represents the technical information security industry by: offering a demonstrable level of assurance of processes and procedures of member organisations validating the competence of their technical security staff providing guidance, standards and opportunities to share and enhance knowledge providing technical security staff recognised professional qualifications and those entering or progressing in the industry with support with on-going professional development 10

Open Web Application Security Project (OWASP) The is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigor available in the market when it comes to performing web application security verification. The ASVS standard provides a basis for verifying application technical security controls, as well as any technical security controls in the environment that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. 11

OWASP ASVS V2 V2. Authentication V17. Mobile V3. Session Management V4. Access Control V5. Malicious Input Handling V7. Cryptography at Rest V8. Error Handling and Logging V9. Data Protection V10. Communications V11. HTTP V13. Malicious Controls V15. Business Logic V16. File and Resource 12

Common Vulnerability Scoring System CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. 13

NVD Vulnerability Severity Ratings NVD provides severity rankings of Low, Medium and High in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS cores: 1. Vulnerabilities are labelled Low severity if they have a CVSS base score of 0.0 to 3.9 2. Vulnerabilities are labelled Medium severity if they have a CVSS base score of 4.0 to 6.9 3. Vulnerabilities are labelled High severity if they have a CVSS base score of 7.0 to 10.0 14

How Does the Kitemark Work Assessment of software application and environment using ISO 27001 Penetration testing of software application using OWASP (Open Web Application Security Project ) standard ASVS V2.0 (Application Security Verification Standard) both black and white box testing This testing led by qualified by CREST 10000 hours tester (CCT). Using the resultant CVSS (Common Vulnerability Scoring System) to define what passes Corrective Action taken Retesting of Vulnerabilities identified. Testing report produced 15

Continuing Assessment Yearly cycle of four E2E functional tests per year All qualified vulnerabilities of CVSS >6.9 require emergency attention & reporting directly to BSI All qualified vulnerabilities of CVSS > 3.9 require remediation or risk requalification BSI Penetration tester to supply an executive summary report to BSI every three months following Kitemark certification date. BSI Surveillance audits at site to review process and outputs of testing for each cycle All major non-conformities reported directly to BSI certification director Yearly certification review with BSI evidencing: Four reports from BSI Penetration tester with passing results Four surveillance audits of ISO27001 with all nonconformities resolved 16

The key phases for the Client PHASE 1: Shape Client understands the Kitemark scheme in relation to their ISO 27001 system and application PHASE 2: Implement and Gap Analysis Client to implement and BSI undertake Gap analysis to review application and system documentation PHASE 3: Initial Assessment BSI formally assesses system and test product 6/10/2015 17

Phase 1: Shape Client to review application and system in relation to their ISO 27001 system and application 18

Phase 2 Implement and Gap Analysis Implementation of ISO 27001 in relation to application. Ensure the system covers devices, system and network. Review existing Penetration testing results BSI with Client will undertake a dry run audit in appropriate location against the Scheme protocol to understand the practical issues. Based on this, BSI and Client to assess how this will be implemented on a larger scale The output of this phase would be an understanding within Client of the nature and scope of the audits. This will allow Client to prepare for the Initial Assessment. Digital Banking Kitemark Plan 2014 v1 19

Phase 3: Initial Assessment Assessment of software application and environment using ISO 27001 Penetration testing of software application using OWASP (Open Web Application Security Project ) standard ASVS V2.0 (Application Security Verification Standard) both black and white box testing 20

Who is BSI? Leading Global Standards Creation Body: British, European, ISO, Public, Private The UK National Standards Body: The source of British Standards Specialist Focus on Standards Creation, Training and Certification Global Network: 70,000 clients in 150 countries worldwide including governments, global brands and SME s Experienced: The world s first National Standards Body established in 1901 and a founding member of ISO Thought Leaders: Shaped the world s most adopted standards, incl. ISO 9001, ISO 14001, ISO 27001 Trusted: We re a Royal Charter Company, reinvesting profits back into our business to improve our clients experience 21

The BSI Kitemark what it represents Quality Safety Trust 22

The BSI Kitemark a true Superbrand with excellent brand recognition 23

BSI Kitemark consumer trust and recognition 72% awareness GfK NOP Consumer Survey December 2010 24

Barclays' pioneering Pingit mobile payment service and Barclays Mobile Banking are the first products to have been independently assessed in order to be awarded the new BSI (British Standards Institution) Kitemark for secure digital transactions. Maureen Sumner Smith, UK managing director at BSI, said: "More and more of us are now sharing confidential information through online shopping, mobile banking, booking flights, gaming, university applications or interacting with local government. These behavioural changes from the physical to the digital demand the need for even more rigorous security measures. Producers of websites or apps which want to achieve the Kitemark will need to undergo "rigorous" testing to make sure their security controls meet the required standards for handling confidential data, the BSI said. A new Kitemark launched today gives the stamp of approval to websites and apps that offer secure digital transactions. Digital banking just got safer with British Standards Institution Kitemark for apps launch Kitemark will show which app to trust For almost a century it has appeared with reassuring mundanity on everything from manhole covers and condoms to fire extinguishers and motorcycle helmets, comforting the consumer that the product they are about to use is safe. Now, the British Standards Institute s famous Kitemark logo has at last been updated for the digital age. Kitemark for Secure Digital Transactions 25

Conclusion ISO 27001 Information Security Management System can be used to control an application Penetration testing can be used to identify vulnerabilities by using OWASP ASVSv2 and CVSS By combining the above through BSI s rigorous processes, the consumer can trust this approach by seeing the Kitemark 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback