How to use Open Web Application Security Project (OWASP) for ISO 27001?
Essentially, OWASP (Open Web Application Security Project) is an online community developing international open projects related to Web Application Security. Mainly, it was created to develop secure web applications. Most of these projects have documents, guides and tools which can be useful for an ISO 27001 implementation.
Why is OWASP so useful for ISO 27001? Because the main objective of ISO 27001 is the protection of information and, during software development, that is also important. Furthermore, a high number of companies don’t know how to protect information during software development and OWASP can be a great tool for that.
So, let’s see the relationship between OWASP and ISO 27001.
Scope and structure of OWASP
OWASP is focused on Web Applications mainly because everything is currently online: shops, supermarkets, TV programs, travel agencies, libraries, etc. Most of the applications are coded for the web, and OWASP helps developers to make a secure code by giving them a lot of tools. Most of them are free and are used for software development process.
The OWASP is composed of the following project types:
- Flagship projects (mature projects)
- Lab projects (medium level and still working projects)
- Incubator projects (new projects)
For an ISO 27001 implementation, the most interesting projects are the Flagship projects, because those are finished projects, which means that they are more stable. These are mature projects, and their resources (documentation, tools, etc.) are used by companies around the world.
ISO 27001 and software development
ISO 27001 has an Annex where you can find 114 security controls. These controls are generic, although all have the same objective: the protection of information. So, you can see controls related to Human Resources, compliance, providers, IT, etc. Of course, you can also find controls related to software development. (See also: Overview of ISO 27001:2013 Annex A.)
Controls that are specifically related to software development are the following:
A.14.2.1 Secure development policy. This is related to the definition of rules for software development. For example, a rule can be to avoid global variables, or avoid some insecure functions during the codification.
A.14.2.4 Restrictions on changes to software packages. They are related to the changes to software packages. For example, you should take care with change in an open source project.
A.14.2.5 Secure system engineering principles. They are related to basic principles involving secure system engineering. For more information on that topic, check the article What are secure engineering principles in ISO 27001:2013 control A.14.2.5.
A.14.2.6 Secure development environment. It is connected to the protection of the development environment. For example, only developers can access to the development environment, and each developer is identified by a unique user, the development environment is isolated, etc.
A.14.2.8 System security testing. It is related to testing the security functionality of the system. For example, if you have defined a secure channel to access a web application, you need to check if the HTTPS is in place during the access.
A.14.2.9 System acceptance testing. This is the performance of some tests before accepting the system. For example, you can use code analysis tools, or vulnerability scanners, and you can decide to not accept a system if it has critical vulnerabilities.
Let’s find out how OWASP can help us with these controls.
Best OWASP projects for information security
The most interesting OWASP projects for ISO 27001 are:
- Top Ten Project – This project defines a top 10 of the most critical web application security risks. These can help us to define a secure development policy and define secure system engineering principles related to the control A.14.2.1. According to the top 10, we can define a secure development policy to avoid common technical vulnerabilities (for example Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), etc.). It is also related to the control A.14.2.5, because we can define basic principles related to the secure engineering principles.
- Application Security Verification Standard Project – It can help us to test the application and system security, which is related to the control A.14.2.8. This project gives us specific documentation that we can use to define requirements for testing web application technical security controls. For example, this project defines requirements to test architecture, authentication, access control, etc.
- OWTF (Offensive Web Testing Framework) – This can help us to perform pen testing, or a vulnerability scan, which is related to the control A.14.2.9. This project basically gives us a software tool that we can use to perform ethical hacking.
- Web Testing Environment Project – It can help us to define a secure development environment, which is related to the control A.14.2.6. This gives us a software tool that we can use to establish an independent testing environment.
Combine ISO 27001 and OWASP for best results in software development
ISO 27001 is a global solution for the information security, because it is composed by generic security controls, and OWASP is a specific solution for security in relation to software development. Regarding the fact that ISO 27001 and OWASP are compatible, they can work together in the same way for the protection of information. ISO 27001 can be your global way of security management, while OWASP can be your best choice for specific IT security issues related to software development.
To learn more about ISO 27001 controls, check this free whitepaper Clause-by-clause explanation of ISO 27001.