This article will survey some of the US and international standards used to understand the risks and controls associated with computer application security.
With all the emphasis on network security in recent years, the critical area of application security may not be receiving adequate attention. Consider that once networks are secure from internal and external threats, an equal or greater risk may be associated with critical software applications. Examples of such critical applications are enterprise resource planning (ERP), customer relationship management (CRM), online banking, financial accounting and manufacturing applications. Various security standards address the key components of application security, including confidentiality, integrity and availability. Some specific security areas are emphasized in the standards, such as access controls, development life cycle and cryptographic controls.
Application security can be defined as the set of security mechanisms around an application that protect its confidentiality, integrity and availability. Applications in the modern production environment, however, do not operate in a vacuum. Business process analysis is used to understand the role and operation of an application. Risk management is important to direct and allocate security resources to higher-risk areas. All of the above are necessary for a holistic approach to application security.
This survey will discuss the following standards and documents: ISO 17799, ISO 15408, COBIT, SP800-14, SP800-27 and SAS94. These are widely used and respected standards and documents published by recognized organizations and government agencies. This is not a comprehensive survey of all standards in circulation and there is inevitably some bias in this selection of standards based on the professional experience of this author. The standards in table 1 and the following text compare application security, objectives and key components.
Code of Practice for Information Security Management
The International Organization for Standardization issued the Code of Practice for Information Security Management (ISO 17799) in 2000. This standard is based on the British Standard 7799 first published in 1995. It is a comprehensive set of controls considered to be best practices in information security including policies, practices, procedures, organizational structures and software functions. The standard recommends establishing and maintaining a documented "information security management system." This system should focus on identifying critical information assets, specifying the degree of assurance required as well as risk management, control objectives and procedures.
Detailed controls are organized into 10 major sections--security policy, security organization, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, and business continuity management and compliance.
ISO 17799 Application Security
The section on system development and maintenance provides specific security objectives, risks and controls relevant to application security. Business process analysis is suggested in the initial phases of implementation to identify, justify and document the requirements of the application. The basic objective of application security according to ISO 17799 is to prevent loss, modification or misuse of user data. Controls should be designed around the input, processing and output of data.
Specific input controls include dual input checks, where data are entered repetitively and then compared for errors. Detection of such errors as out-of-range values, invalid characters in data fields, and missing or incomplete data is an objective.
The processing of data should include controls to protect the integrity of the data. Examples of such controls are batch totals before and after processing, balance controls to check opening balances to previous closing balances, checks on the order of processing programs and whether programs are terminated or halted in the case of a failure.
Output controls may include plausibility checks to test whether output data are reasonable and reconciliation control counts to ensure complete processing of all data.
Cryptographic controls are discussed with the objective of protecting the confidentiality, authenticity and integrity of information. Policies are appropriate here to identify sensitive information that requires strong protection. Encryption algorithms and length of cryptographic keys are important issues. Digital signatures and cryptographic key management are controls to protect the authenticity and integrity of electronic documents. Key management includes the critical functions of generating, distributing, storing and revoking keys.
Evaluation Criteria for IT Security
ISO 15408, Evaluation Criteria for IT Security, is based on the "common criteria" for evaluating IT products and systems. The common criteria function is a standard for measuring the security and assurance associated with a product. The objective is to prevent unauthorized disclosure, modification or loss of use--similar to confidentiality, integrity and availability. The original Common Criteria for Information Technology Security Evaluation was published in 1999 by a consortium of US and European national standards organizations and licensed to the ISO as ISO/IEC 15408.
Evaluations of IT products using ISO 15408 can be used as assurance about the security of a product or as a guarantee by the manufacturer about security capabilities. Consumers can use the standard to determine if an application or system fits their requirements. Developers use the standard as a guide in designing and building a product. Evaluators use the standard to test products and to determine what functionality is included.
IT products, known as targets of evaluation (TOE), can be evaluated using the common criteria, including operating systems, networks, distributed systems and applications. Users are encouraged to write protection profiles outlining their needs, which are intended to motivate vendors to meet these profiles.
ISO 15408 Application Security
ISO 15408 presents two categories of security requirements, functional and assurance requirements that are used to develop applications with varying degrees of security. An application can be designed with minimum or maximum security features and a corresponding assurance level.
Security functional requirements are grouped into 11 classes, each with a number of "families" that have a specific security objective and a desired security behavior. The 11 classes are security audit, identification and authentication, resource utilization, cryptographic support, security management, access controls, communication, privacy, trusted paths/channels, user data protection and protection of security functions.
Assurance requirements are based on confidence in the implementation of security functions as well as the effectiveness of the security functions. These requirements are based on the presence of the desired behavior as well as the absence of undesired behavior. The eight assurance requirements are configuration management, guidance documents, vulnerability assessment, delivery and operation, life cycle support, assurance maintenance, development and testing.
Evaluation assurance levels (EAL) are predefined packages of the previously mentioned assurance requirements. Each level has an incremental security capability and indicates increased confidence in the product. EAL1 indicates that a product was only functionally tested. EAL7 indicates that the product has been subjected to maximum testing and the design has been validated thoroughly. This level is associated with high value information and high risk.
The standard does not mandate a model for application development, but does mention general phases commonly used, such as security requirements, functional specification, high-level design, programming and implementation.
Control Objectives for Information and related Technology (COBIT)
COBIT, published by the IT Governance Institute and the Information Systems Audit and Control Foundation, is a framework of IT governance and control practices. This IT governance guide is integrated in a cycle of business requirements, IT processes and IT resources to support the operation of a business. The business requirements obviously are highly variable. IT processes and resources in the COBIT model are discussed below.
COBIT describes a range of information criteria for developing a comprehensive security program in support of overall business needs for information. A fundamental concept of COBIT is that business requirements are the priority and that information should conform to certain criteria. The information criteria were developed from other well-known security models and integrate the concepts of effectiveness, efficiency, reliability and compliance as well as the traditional security concepts of confidentiality, integrity and availability. The IT processes (see below) described in the COBIT Framework are mapped to the relevant information criteria as well as the supporting IT resources.
COBIT includes 34 IT processes grouped into four domains including planning and organization (PO), acquisition and implementation (AI), delivery and support (DS) and monitoring (M). The processes are broken down further into 318 specific control objectives and associated audit guidelines.
IT resources include data, application systems, technology, facilities and people. Security and control is critical to the management of these resources using specific policies, procedures, practices, and organizational structures.
COBIT Application Security
Application systems are understood to be the sum of manual and programmed procedures. Data are defined broadly, including text, graphics, video and sound. These two IT resources--application systems and data--process business events into usable information. This can be seen in the context of business process analysis where applications consist of input, process and output phases. IT processes and control objectives correspond to each of these phases. Application security is integrated into all four COBIT domains.
The COBIT IT processes most relevant to application security are provided in table 2.
Generally Accepted Principles and Practices for Securing Information Technology Systems
The National Institute of Standards and Technology (NIST) in the US Department of Commerce published the Generally Accepted Principles and Practices for Securing Information Technology Systems, Special Publication 800-14, in 1996. The document provides a baseline for developing and reviewing IT security programs. The eight principles and 14 practices in the document are applied in the use, protection and design of government information and data systems.
Generally accepted security principles are general and do not address application security directly. Some of the principles mention applications and systems only as part of overall information security. Examples of these principles are: "computer security is an integral element of sound management," and "computer security requires a comprehensive and integrated approach." These principles, however, are the basis for the security practices, which include objectives, controls and procedures.
SP 800-14 Application Security
Application security is addressed in specific practices such as "life cycle planning" and "security considerations in computer support and operations." Peripheral discussion of application security is found in sections on system level program management and contingency and disaster planning.
The practice of life cycle planning for computer application software includes the five phases: initiation, development/acquisition, implementation, operation and disposal. Each phase is described with security requirements, which can be technical features, assurances or operational practices. During the initiation phase, a sensitivity assessment should be performed. In the development/acquisition phase, security requirements should be documented and incorporated into specifications. In the implementation phase, testing should be conducted and accreditation sought from management. In the operations phase, security operations should be continuous with appropriate monitoring and auditing. In the disposal phase, data should be removed and the media sanitized.
Security considerations in computer support and operations, the ninth practice, describes software support including controls for change management, configuration management, media handling, documentation and maintenance.
Engineering Principles for Information Technology Security
The concepts in SP800-14 are developed further in Engineering Principles for Information Technology Security, Special Publication 800-27, published by NIST in 2001. Security is discussed as an enabler of overall objectives of the organization. This document provides a greater system-level perspective on security, as opposed to the organizational-level perspective in SP800-14. Reference is made to the common criteria found in ISO15408.
SP 800-27 Application Security
SP800-27 includes 33 security principles that apply to the life cycle planning phases discussed in SP800-14. Almost all of these principles are relevant to application security. The first principle is to establish a security policy as a foundation for design. The following principles deal with policy, risk and characteristics of good security, e.g., simplicity. Additional principles discuss access controls, data management and the training of developers in security techniques.
Effect of IT on Auditor's Consideration of Internal Control in a Financial Statement Audit
The AICPA Auditing Standards Board issued The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit (SAS 94) in 2001. This standard requires financial auditors to consider information technology as part of overall internal control. Auditors must understand applications and systems in assessing risk and evaluating the integrity of financial information. This standard has therefore brought fundamental concepts of information security and, specifically, application security to the auditing profession.
SAS 94 updates two previous standards, SAS Nos. 55 and 78, on the Consideration of the Internal Control Structure in a Financial Statement Audit. SAS 94 recognizes the larger role of technology in financial reporting. Internal control in this context refers to automated and manual procedures used in preparing financial statements and related disclosures. The specific procedures relevant to auditors include transaction entries into the general ledger as well as journal entries required on a recurring and non-recurring basis. The entire sequence of initiating, recording and processing journal entries should be understood as part of a financial audit.
SAS 94 Application Security
The AICPA has issued guidelines to understand the controls around financial applications, e.g., the audit guide, Consideration of Internal Control in a Financial Statement Audit. Application controls relevant to a financial audit include access controls, program change controls, job controls, monitoring and systems documentation. Accuracy, completeness and validity of data processing are critical.
The audit standards suggest a two-level approach to understanding internal controls. The first level is a review of the controls placed in operation; the second and more in-depth level is a review of whether the controls are operating effectively. The difference in these two reviews is the scope or extent of internal control testing. The key components of internal control relevant to financial applications are risk assessment, control activities and control environment, information, communication and monitoring.
The auditor should obtain evidential matter about the effectiveness of the design and operation of controls that affect financial data. This refers to any financial statement assertions that are initiated, recorded, processed and reported electronically. The standard applies to audits of financial statements for periods beginning on or after 1 June 2001.
The standards and documents presented approach application security from different perspectives. However, the standards share common controls in many areas, such as life cycle development and application input, process and output. Early works, such as British Standard BS 7799, influenced the NIST SP800 publications, and then were transformed into the ISO 17799. Similarly, the Common Criteria of ISO 15408 have had a wide impact and are referred to by other standards. COBIT and ISO 15408 appear to have the most depth and detail in their respective approaches to security. Application security clearly is an integral component of overall information security as discussed in the standards and documents.
British Standard BS 7799-1: 1999; Information Security Management, BSI/DISC Committee BDD/2, 1999, www.bspsl.com/secure/iso17799software/cvm.cfm
Control Objectives for Information and related Technology (COBIT) 3rd Edition, IT Governance Institute and Information Systems Audit and Control Foundation, 2000, www.isaca.org//templateredirect.cfm?section=cobit6
ISO/IEC 15408-1: 1999; Evaluation Criteria for IT Security (also known as Common Criteria for Information Technology Security Evaluation), International Organization for Standardization, 1999, csrc.nist.gov/cc/ccv20/ccv2list.htm
ISO/IEC 17799: 2000; Information Technology--Code of Practice for Information Security Management, International Organization for Standardization, 2000, www.ansi.org, www.iso.org and www.securityauditor.net
Generally Accepted Principles and Practices for Securing Information Technology Systems, Special Publication 800-14, US Department of Commerce, National Institute of Standards and Technology, 1996, csrc.nist.gov/publications/nistpubs/
Engineering Principles for Information Technology Security, Special Publication 800-27, US Department of Commerce, National Institute of Standards and Technology, 2001, csrc.nist.gov/publications/nistpubs/
The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit, Statement on Auditing Standard 94 (SAS 94), AICPA Auditing Standards Board, 2001, www.aicpa.org/members/div/auditstd/riasai/sas94.htm
Fredric Greene, CISSP, CPA, CCNA, MCSE
is president of Greene Security & Audit, a consultancy specializing in information security and IT auditing. His previous employment includes the New York Stock Exchange and KPMG.