|
|
|
|
|
Posted by Rob Slade, doting grandpa of R on November 20, 2008, 12:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
BKASI27E.RVW 20081010
"Application Security in the ISO27001 Environment", Vinod Vasudevan et
al, 2008, 978-1-905356-35-5, UK#39.95
%A Vinod Vasudevan
%A Anoop Mangla
%A Firosh Ummer
%A Sachin Shetty
%A Sangita Pakala
%A Siddarth Anbalahan
%C Unit 3, Clive Court, Bartholomews's Walk, Ely, UK CB7 4EH
%D 2008
%G 978-1-905356-35-5 1-905356-35-8
%I IT Governance Publishing
%O UK#39.95 +44(0)845 070 1750 info@itgovernance.co.uk
%O http://www.amazon.com/exec/obidos/ASIN/1905356358/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1905356358/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1905356358/robsladesin03-20
%O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 216 p.
%T "Application Security in the ISO27001 Environment"
The preface states that this book directs the reader as to how to
secure applications as part of an overall information security
management system (ISMS).
As could be surmised by the use of the ISMS acronym, chapter one
provides us with a terse introduction to the ISO standards 27001 and
27002. Chapter two then presents a rough outline of a project to
develop an ISMS. A limited version of a qualitative risk assessment
process is in chapter three. Chapter four notes that applications can
be attacked. (The careful reader will note that this is the first
time that applications are mentioned in the book.)
Chapter five lists a few security controls (with references to
somewhat related sections of ISO 27001) that may be relevant to
certain aspects of application security. The explanations of the
individual controls are brief. A mention of metrics is added to the
mix, but an allusion only: those listed appear to be metrics solely
for the purpose of generating numbers, and their utility is extremely
limited. Five attacks on applications are outlined in chapter six,
which relies heavily on screenshots. (The screenshots don't do much
to explain the attacks.) Chapter seven is a rather random look at
miscellaneous controls that might be used in a secure software
development life cycle. An attempt at a simple process which could be
used to determine all possible threats to an application (and how to
test for vulnerability to all of them) makes up chapter eight. (As
anyone who has tried this knows, it is easier said than done.)
Chapter nine is a grab bag of tips for secure coding, along with
occasional bits of sample code which may (or may not) illustrate the
associated point.
This book doesn't really say much about either application security or
the ISO 27001 standard. If you want to investigate developing secure
code, you would be better served by Ian Sommerville's "Software
Engineering" (cf. BKSFTENG.RVW) or "Software Security: Building
Security In" by Gary McGraw (cf. BKSWSBSI.RVW). According to a
response to the draft review from the publisher, the book
was developed more for ISO 27001 project staff than for developers.
For information about ISO 27001, I would recommend you read the
standard itself.
copyright Robert M. Slade, 2008 BKASI27E.RVW 20081010
--
======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
"Dictionary of Information Security," Syngress 1597491152
http://blogs.securiteam.com/index.php/archives/author/p1/
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
Book reviews: [Base URL]mnbk.htm
Review mailing list: send mail to techbooks-subscribe@egroups.com
or techbooks-subscribe@topica.com
|
| Similar Threads | Posted | | Call for papers: Special Issue on: "Data and Application Security" | October 21, 2006, 1:20 pm |
| REVIEW: "Software Security Engineering", Julia H. Allen et al | November 13, 2008, 11:58 am |
| REVIEW: "Black Hat Physical Device Security", Drew Miller | August 12, 2005, 3:26 pm |
| REVIEW: "Corporate Computer and Network Security", Raymond R. Panko | August 25, 2005, 8:25 pm |
| REVIEW: "The History of Information Security", Karl de Leeuw/Jan Bergstra | December 4, 2008, 1:47 pm |
| [security bulletin] SSRT051052 rev.0 - HP OpenView Operations and OpenView VantagePoint Java Runtime Environment (JRE) Remote Privileged Access | October 19, 2005, 8:02 pm |
| [security bulletin] SSRT051052 rev.1 - HP OpenView Operations and OpenView VantagePoint Java Runtime Environment (JRE) Remote Privileged Access | October 21, 2005, 6:23 pm |
| REVIEW: "Enterprise Information Systems Assurance and System Security", Merrill Warkentin/Rayford Vaughn | May 23, 2008, 4:44 pm |
| Advice, security specification calls for using system login to do login to web application | August 28, 2007, 8:19 am |
| AD-2k3 & SSO in Mac Rich Environment | August 15, 2005, 11:46 am |
|
|
|
XML site map