Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Application Security in the ISO27001 Environment", Vinod Vasudevan et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKASI27E.RVW 20081010 Application Security in the ISO27001 Environment , Vinod Vasudevan et al, 2008, 978-1-905356-35-5, UK#39.95 %A Vinod Vasudevan %A
    Message 1 of 1 , Nov 20 9:53 AM
    • 0 Attachment
      BKASI27E.RVW 20081010

      "Application Security in the ISO27001 Environment", Vinod Vasudevan et
      al, 2008, 978-1-905356-35-5, UK#39.95
      %A Vinod Vasudevan
      %A Anoop Mangla
      %A Firosh Ummer
      %A Sachin Shetty
      %A Sangita Pakala
      %A Siddarth Anbalahan
      %C Unit 3, Clive Court, Bartholomews's Walk, Ely, UK CB7 4EH
      %D 2008
      %G 978-1-905356-35-5 1-905356-35-8
      %I IT Governance Publishing
      %O UK#39.95 +44(0)845 070 1750 info@...
      %O http://www.amazon.com/exec/obidos/ASIN/1905356358/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/1905356358/robsladesin03-20
      %O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 216 p.
      %T "Application Security in the ISO27001 Environment"

      The preface states that this book directs the reader as to how to
      secure applications as part of an overall information security
      management system (ISMS).

      As could be surmised by the use of the ISMS acronym, chapter one
      provides us with a terse introduction to the ISO standards 27001 and
      27002. Chapter two then presents a rough outline of a project to
      develop an ISMS. A limited version of a qualitative risk assessment
      process is in chapter three. Chapter four notes that applications can
      be attacked. (The careful reader will note that this is the first
      time that applications are mentioned in the book.)

      Chapter five lists a few security controls (with references to
      somewhat related sections of ISO 27001) that may be relevant to
      certain aspects of application security. The explanations of the
      individual controls are brief. A mention of metrics is added to the
      mix, but an allusion only: those listed appear to be metrics solely
      for the purpose of generating numbers, and their utility is extremely
      limited. Five attacks on applications are outlined in chapter six,
      which relies heavily on screenshots. (The screenshots don't do much
      to explain the attacks.) Chapter seven is a rather random look at
      miscellaneous controls that might be used in a secure software
      development life cycle. An attempt at a simple process which could be
      used to determine all possible threats to an application (and how to
      test for vulnerability to all of them) makes up chapter eight. (As
      anyone who has tried this knows, it is easier said than done.)
      Chapter nine is a grab bag of tips for secure coding, along with
      occasional bits of sample code which may (or may not) illustrate the
      associated point.

      This book doesn't really say much about either application security or
      the ISO 27001 standard. If you want to investigate developing secure
      code, you would be better served by Ian Sommerville's "Software
      Engineering" (cf. BKSFTENG.RVW) or "Software Security: Building
      Security In" by Gary McGraw (cf. BKSWSBSI.RVW). According to a
      response to the draft review from the publisher, the book
      was developed more for ISO 27001 project staff than for developers.
      For information about ISO 27001, I would recommend you read the
      standard itself.

      copyright Robert M. Slade, 2008 BKASI27E.RVW 20081010

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Are you sure that [nine nine nine nine nine nine is] random?
      That's the problem with randomness. You can never be sure.
      victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
    Your message has been successfully submitted and would be delivered to recipients shortly.