BKASI27E.RVW 20081010 "Application Security in the ISO27001 Environment", Vinod Vasudevan et al, 2008, 978-1-905356-35-5, UK#39.95 %A Vinod Vasudevan %A Anoop Mangla %A Firosh Ummer %A Sachin Shetty %A Sangita Pakala %A Siddarth Anbalahan %C Unit 3, Clive Court, Bartholomews's Walk, Ely, UK CB7 4EH %D 2008 %G 978-1-905356-35-5 1-905356-35-8 %I IT Governance Publishing %O UK#39.95 +44(0)845 070 1750 info@itgovernance.co.uk %O http://www.amazon.com/exec/obidos/ASIN/1905356358/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1905356358/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1905356358/robsladesin03-20 %O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 216 p. %T "Application Security in the ISO27001 Environment" The preface states that this book directs the reader as to how to secure applications as part of an overall information security management system (ISMS). As could be surmised by the use of the ISMS acronym, chapter one provides us with a terse introduction to the ISO standards 27001 and 27002. Chapter two then presents a rough outline of a project to develop an ISMS. A limited version of a qualitative risk assessment process is in chapter three. Chapter four notes that applications can be attacked. (The careful reader will note that this is the first time that applications are mentioned in the book.) Chapter five lists a few security controls (with references to somewhat related sections of ISO 27001) that may be relevant to certain aspects of application security. The explanations of the individual controls are brief. A mention of metrics is added to the mix, but an allusion only: those listed appear to be metrics solely for the purpose of generating numbers, and their utility is extremely limited. Five attacks on applications are outlined in chapter six, which relies heavily on screenshots. (The screenshots don't do much to explain the attacks.) Chapter seven is a rather random look at miscellaneous controls that might be used in a secure software development life cycle. An attempt at a simple process which could be used to determine all possible threats to an application (and how to test for vulnerability to all of them) makes up chapter eight. (As anyone who has tried this knows, it is easier said than done.) Chapter nine is a grab bag of tips for secure coding, along with occasional bits of sample code which may (or may not) illustrate the associated point. This book doesn't really say much about either application security or the ISO 27001 standard. If you want to investigate developing secure code, you would be better served by Ian Sommerville's "Software Engineering" (cf. BKSFTENG.RVW) or "Software Security: Building Security In" by Gary McGraw (cf. BKSWSBSI.RVW). According to a response to the draft review from the publisher, the book was developed more for ISO 27001 project staff than for developers. For information about ISO 27001, I would recommend you read the standard itself. copyright Robert M. Slade, 2008 BKASI27E.RVW 20081010