REVIEW: "Application Security in the ISO27001 Environment", Vinod Vasudevan et al

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKASI27E.RVW   20081010

"Application Security in the ISO27001 Environment", Vinod Vasudevan et
al, 2008, 978-1-905356-35-5, UK#39.95
%A   Vinod Vasudevan
%A   Anoop Mangla
%A   Firosh Ummer
%A   Sachin Shetty
%A   Sangita Pakala
%A   Siddarth Anbalahan
%C   Unit 3, Clive Court, Bartholomews's Walk, Ely, UK CB7 4EH
%D   2008
%G   978-1-905356-35-5 1-905356-35-8
%I   IT Governance Publishing
%O   UK#39.95 +44(0)845 070 1750
%O  ( product link shortened)
  ( product link shortened)
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   216 p.
%T   "Application Security in the ISO27001 Environment"

The preface states that this book directs the reader as to how to
secure applications as part of an overall information security
management system (ISMS).

As could be surmised by the use of the ISMS acronym, chapter one
provides us with a terse introduction to the ISO standards 27001 and
27002.  Chapter two then presents a rough outline of a project to
develop an ISMS.  A limited version of a qualitative risk assessment
process is in chapter three.  Chapter four notes that applications can
be attacked.  (The careful reader will note that this is the first
time that applications are mentioned in the book.)

Chapter five lists a few security controls (with references to
somewhat related sections of ISO 27001) that may be relevant to
certain aspects of application security.  The explanations of the
individual controls are brief.  A mention of metrics is added to the
mix, but an allusion only: those listed appear to be metrics solely
for the purpose of generating numbers, and their utility is extremely
limited.  Five attacks on applications are outlined in chapter six,
which relies heavily on screenshots.  (The screenshots don't do much
to explain the attacks.)  Chapter seven is a rather random look at
miscellaneous controls that might be used in a secure software
development life cycle.  An attempt at a simple process which could be
used to determine all possible threats to an application (and how to
test for vulnerability to all of them) makes up chapter eight.  (As
anyone who has tried this knows, it is easier said than done.)
Chapter nine is a grab bag of tips for secure coding, along with
occasional bits of sample code which may (or may not) illustrate the
associated point.

This book doesn't really say much about either application security or
the ISO 27001 standard.  If you want to investigate developing secure
code, you would be better served by Ian Sommerville's "Software
Engineering" (cf. BKSFTENG.RVW) or "Software Security: Building
Security In" by Gary McGraw (cf. BKSWSBSI.RVW).  According to a
response to the draft review from the publisher, the book
was developed more for ISO 27001 project staff than for developers.
For information about ISO 27001, I would recommend you read the
standard itself.

copyright Robert M. Slade, 2008   BKASI27E.RVW   20081010

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline