Quantum Security Course

Written by: Igor Korotach

Software Security Standards

Structure

• Software Security Standards
• Compliance
• Useful materials while working with security

Software Security Standards.

Software Security Standards

1. ISO/IEC 27001
2. NIST SP 800-53
3. PCI-DSS (Payment Card Industry Data Security Standard)
4. IEC 62443
5. OWASP ASVS (Application Security Verification Standard)

ISO/IEC 27001

ISO/IEC 27001 is an international standard to manage information security.

There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)

ISO/IEC 27001 requires that management:

• Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

NIST SP 800-53

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage.

Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53.

NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200.

NIST SP 800-53

NIST SP 800-53

NIST SP 800-53. What to follow?

• Low baseline: If your web application handles public or low-sensitivity data (e.g., a blog, marketing website), and a security breach would cause minimal harm.
• Moderate baseline: If your web application handles moderately sensitive information (e.g., customer PII, transactional data, or personal health information), or if a breach could lead to financial loss, damage to reputation, or minor operational impact.
• High baseline: If your web application deals with highly sensitive or critical information (e.g., government data, critical infrastructure, financial systems), or if a breach could result in serious damage (e.g., national security risk, major financial loss, loss of life). It’s also appropriate when the losses could lead to widespread economic harm to multiple stakeholders or the general public, especially if your app is critical to broader financial systems or infrastructure.

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions

PCI-DSS

PCI-DSS

In version 3.2.1 of the PCI DSS, the twelve main requirements are:

• Install and maintain a firewall system to protect cardholder data.
• Avoid vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data on open, public networks.
• Protect all systems against malware, and update anti-virus software or programs.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need to know.
• Identify and authenticate access to system components.
• Restrict physical access to cardholder data.
• Track and monitor access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain an information security policy which addresses information security for all personnel.

IEC 62443

IEC 62443 is an international standard that focuses on securing Industrial Automation and Control Systems (IACS). It provides a comprehensive set of guidelines to address cybersecurity in critical infrastructures, such as manufacturing systems, energy grids, water treatment facilities, and other industrial environments. It is designed to help organizations mitigate cybersecurity risks in industrial environments, where both IT (Information Technology) and OT (Operational Technology) coexist.

OWASP ASVS

The OWASP Application Security Verification Standard is an open standard that sets out the coverage and level of rigor expected when it comes to performing web application security verification. The standard also provides a basis for testing any technical security controls that are relied on to protect against vulnerabilities in the application.

The ASVS defines three levels of security verification:

1. Applications that only need low assurance levels;
2. Applications which contain sensitive data that require protection (the recommended level for most applications)
3. The most critical applications that require the highest level of trust;

OWASP ASVS

The ASVS is split into such sections:

V1 Architecture, Design and Threat Modeling
V2 Authentication
V3 Session Management
V4 Access Control
V5 Validation, Sanitization and Encoding
V6 Stored Cryptography
V7 Error Handling and Logging
V8 Data Protection
V9 Communication
V10 Malicious Code
V11 Business Logic
V12 Files and Resources
V13 API and Web Service
V14 Configuration

How to become compliant?

Acquiring compliance algorithm

1. Understand the standard (usually you need to buy materials)
2. Define requirements
3. Conduct gap analysis
4. Develop a plan to fix the gaps
5. Implement controls
6. Test and verify the introduced measures
7. Document compliance
8. Perform internal audit
9. Perform external audit
10. Monitor changes in the standard

Useful materials when working with security.

Useful materials when working with security:

• OWASP ASVS Annotated List
• NIST SP 800-53b
• BSIMM (Building Security In Maturity Model)

Useful materials when working with security:

OWASP Top 10

Useful materials when working with security:

CWE (Common Weakness Enumeration)

Useful materials when working with security:

OWASP DevSecOps Guideline

Useful materials when working with security:

SAFECode

Thanks for your attention. You've been awesome!

Questions?

• Presentation link: https://slides.com/emulebest/quantum-security-course