Securing Digital Applications Chris Lewis: Certification Director
Agenda The problem and solution The Kitemark and how it works ISO/IEC 27001 (Information Security Management Standard) OWASP ASVS v2 CVSS (Common Vulnerability Scoring System) Steps to achieve Kitemark Who is BSI Kitemark gives consumers Trust 2
The problem 4 billion is processed every single month over smartphones How can banks and application owners prevent fraud How can banks protect their reputation Security at the forefront for banks and customers alike How can customers trust the applications they are using 3
A solution Kitemark for Secure digital transactions Providing a dynamic and systematic response to vulnerabilities which reduces reputational issues for financial institutions and provides trust to customers through the Kitemark Developed with Barclays and Gotham Digital Sciences (GDS) 4
How does the Kitemark Work BSI Kitemark scheme has been written that will enable applications to be independently assessed. The assessment process will assess: 1. The clients ISO 27001 scope covers the application and its environment 2. The application is tested against OWASP (Open Web Application Security Project) standard ASVS V2.0 (Application Security Verification Standard) 5
ISO/IEC 27001: Information technology Security techniques-information Security Management Systems ISO/IEC 27001 is an internationally recognized best practice framework for an information security management system. It helps you identify the risks to your important information and put in place the appropriate controls to help reduce the risk. Plan, Do, Check, Act Standard which drives continuous improvement 6
Contents of ISO/IEC 27001 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement Annex A Reference control objectives and controls 7
What are the benefits of ISO/IEC 27001 Information Security Management? Identify risks and put controls in place to manage or reduce them Flexibility to adapt controls to all or selected areas of your business Gain stakeholder and customer trust that their data is protected Demonstrate compliance and gain status as preferred supplier Meet more tender expectations by demonstrating compliance Assessment performed by a BSI Assessor who is competent 8
Penetration Testing Consists of both Black Box and White Box testing Uses OWASP ASVS v2 (Open Web Application Security Project: Application Security Verification Standard) Uses CVSS (Common Vulnerability Scoring System) to calculate result. Penetration Testing is led by a Tester qualified as a CREST 10000 hour tester (CCT) 9
CREST CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry CREST represents the technical information security industry by: offering a demonstrable level of assurance of processes and procedures of member organisations validating the competence of their technical security staff providing guidance, standards and opportunities to share and enhance knowledge providing technical security staff recognised professional qualifications and those entering or progressing in the industry with support with on-going professional development 10
Open Web Application Security Project (OWASP) The is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigor available in the market when it comes to performing web application security verification. The ASVS standard provides a basis for verifying application technical security controls, as well as any technical security controls in the environment that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. 11
OWASP ASVS V2 V2. Authentication V17. Mobile V3. Session Management V4. Access Control V5. Malicious Input Handling V7. Cryptography at Rest V8. Error Handling and Logging V9. Data Protection V10. Communications V11. HTTP V13. Malicious Controls V15. Business Logic V16. File and Resource 12
Common Vulnerability Scoring System CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. 13
NVD Vulnerability Severity Ratings NVD provides severity rankings of Low, Medium and High in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS cores: 1. Vulnerabilities are labelled Low severity if they have a CVSS base score of 0.0 to 3.9 2. Vulnerabilities are labelled Medium severity if they have a CVSS base score of 4.0 to 6.9 3. Vulnerabilities are labelled High severity if they have a CVSS base score of 7.0 to 10.0 14
How Does the Kitemark Work Assessment of software application and environment using ISO 27001 Penetration testing of software application using OWASP (Open Web Application Security Project ) standard ASVS V2.0 (Application Security Verification Standard) both black and white box testing This testing led by qualified by CREST 10000 hours tester (CCT). Using the resultant CVSS (Common Vulnerability Scoring System) to define what passes Corrective Action taken Retesting of Vulnerabilities identified. Testing report produced 15
Continuing Assessment Yearly cycle of four E2E functional tests per year All qualified vulnerabilities of CVSS >6.9 require emergency attention & reporting directly to BSI All qualified vulnerabilities of CVSS > 3.9 require remediation or risk requalification BSI Penetration tester to supply an executive summary report to BSI every three months following Kitemark certification date. BSI Surveillance audits at site to review process and outputs of testing for each cycle All major non-conformities reported directly to BSI certification director Yearly certification review with BSI evidencing: Four reports from BSI Penetration tester with passing results Four surveillance audits of ISO27001 with all nonconformities resolved 16
The key phases for the Client PHASE 1: Shape Client understands the Kitemark scheme in relation to their ISO 27001 system and application PHASE 2: Implement and Gap Analysis Client to implement and BSI undertake Gap analysis to review application and system documentation PHASE 3: Initial Assessment BSI formally assesses system and test product 6/10/2015 17
Phase 1: Shape Client to review application and system in relation to their ISO 27001 system and application 18
Phase 2 Implement and Gap Analysis Implementation of ISO 27001 in relation to application. Ensure the system covers devices, system and network. Review existing Penetration testing results BSI with Client will undertake a dry run audit in appropriate location against the Scheme protocol to understand the practical issues. Based on this, BSI and Client to assess how this will be implemented on a larger scale The output of this phase would be an understanding within Client of the nature and scope of the audits. This will allow Client to prepare for the Initial Assessment. Digital Banking Kitemark Plan 2014 v1 19
Phase 3: Initial Assessment Assessment of software application and environment using ISO 27001 Penetration testing of software application using OWASP (Open Web Application Security Project ) standard ASVS V2.0 (Application Security Verification Standard) both black and white box testing 20
Who is BSI? Leading Global Standards Creation Body: British, European, ISO, Public, Private The UK National Standards Body: The source of British Standards Specialist Focus on Standards Creation, Training and Certification Global Network: 70,000 clients in 150 countries worldwide including governments, global brands and SME s Experienced: The world s first National Standards Body established in 1901 and a founding member of ISO Thought Leaders: Shaped the world s most adopted standards, incl. ISO 9001, ISO 14001, ISO 27001 Trusted: We re a Royal Charter Company, reinvesting profits back into our business to improve our clients experience 21
The BSI Kitemark what it represents Quality Safety Trust 22
The BSI Kitemark a true Superbrand with excellent brand recognition 23
BSI Kitemark consumer trust and recognition 72% awareness GfK NOP Consumer Survey December 2010 24
Barclays' pioneering Pingit mobile payment service and Barclays Mobile Banking are the first products to have been independently assessed in order to be awarded the new BSI (British Standards Institution) Kitemark for secure digital transactions. Maureen Sumner Smith, UK managing director at BSI, said: "More and more of us are now sharing confidential information through online shopping, mobile banking, booking flights, gaming, university applications or interacting with local government. These behavioural changes from the physical to the digital demand the need for even more rigorous security measures. Producers of websites or apps which want to achieve the Kitemark will need to undergo "rigorous" testing to make sure their security controls meet the required standards for handling confidential data, the BSI said. A new Kitemark launched today gives the stamp of approval to websites and apps that offer secure digital transactions. Digital banking just got safer with British Standards Institution Kitemark for apps launch Kitemark will show which app to trust For almost a century it has appeared with reassuring mundanity on everything from manhole covers and condoms to fire extinguishers and motorcycle helmets, comforting the consumer that the product they are about to use is safe. Now, the British Standards Institute s famous Kitemark logo has at last been updated for the digital age. Kitemark for Secure Digital Transactions 25
Conclusion ISO 27001 Information Security Management System can be used to control an application Penetration testing can be used to identify vulnerabilities by using OWASP ASVSv2 and CVSS By combining the above through BSI s rigorous processes, the consumer can trust this approach by seeing the Kitemark 26