ISO 27001:2022 A 8.26 Application security requirements

Application security,is the practice of using security software, hardware, techniques, best practices and procedures to protect computer applications from external security threats. Application software programs such as web applications, graphics software, database software, and payment processing software are vital to many critical business operations. However, these applications are often exposed to security vulnerabilities that may result in the compromise of sensitive information.Organisations can establish and apply information security requirements for the development, use, and acquisition of applications.Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect apps after they get deployed. Application security may include hardware, software, and procedures that identify or minimize security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address from the Internet is a form of hardware application security. But security measures at the application level are also typically built into the software, such as an application firewall that strictly defines what activities are allowed and prohibited. Procedures can entail things like an application security routine that includes protocols such as regular testing.


Information security requirements should be identified, specified and approved when developing or acquiring applications.


To ensure all information security requirements are identified and addressed when developing or acquiring applications.

ISO 27002 Implementation Guidance


Application security requirements should be identified and specified. These requirements are usually determined through a risk assessment. The requirements should be developed with the support of information security specialists.
Application security requirements can cover a wide range of topics, depending on the purpose of the application.
Application security requirements should include, as applicable:

  1. level of trust in identity of entities (e.g. through authentication) ;
  2. identifying the type of information and classification level to be processed by the application;
  3. need for segregation of access and level of access to data and functions in the application;
  4. resilience against malicious attacks or unintentional disruptions [e.g. protection against buffer overflow or structured query language (SQL) injections;
  5. legal, statutory and regulatory requirements in the jurisdiction where the transaction is generated, processed, completed or stored;
  6. need for privacy associated with all parties involved;
  7. the protection requirements of any confidential information;
  8. protection of data while being processed, in transit and at rest;
  9. need to securely encrypt communications between all involved parties;
  10. input controls, including integrity checks and input validation;
  11. automated controls (e.g. approval limits or dual approvals);
  12. output controls, also considering who can access outputs and its authorization;
  13. restrictions around content of “free-text” fields, as these can lead to uncontrolled storage of confidential data (e.g. personal data);
  14. requirements derived from the business process, such as transaction logging and monitoring, non repudiation requirements;
  15. requirements mandated by other security controls (e.g. interfaces to logging and monitoring or data leakage detection systems);
  16. error message handling.

Transactional services

Additionally, for applications offering transactional services between the organization and a partner, the following should be considered when identifying information security requirements:

  1. the level of trust each party requires in each other’s claimed identity;
  2. the level of trust required in the integrity of information exchanged or processed and the mechanisms for identification of lack of integrity (e.g. cyclic redundancy check, hashing, digital signatures);
  3. authorization processes associated with who can approve contents of, issue or sign key transactional documents;
  4. confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation (e.g. contracts associated with tendering and contract processes);
  5. the confidentiality and integrity of any transactions (e.g. orders, delivery address details and confirmation of receipts);
  6. requirements on how long to maintain a transaction confidential;
  7. insurance and other contractual requirements.

Electronic ordering and payment applications

Additionally, for applications involving electronic ordering and payment, the following should be considered:

  1. requirements for maintaining the confidentiality and integrity of order information;
  2. the degree of verification appropriate to verify payment information supplied by a customer;
  3. avoidance of loss or duplication of transaction information;
  4. storing transaction details outside of any publicly accessible environment (e.g. on a storage platform existing on the organizational intranet, and not retained and exposed on electronic storage media directly accessible from the internet);
  5. where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures or digital certificates) security is integrated and embedded throughout the entire end- to-end certificate or signature management process.

Several of the above considerations can be addressed by the application of cryptography, taking into consideration legal requirements

Other information

Applications accessible via networks are subject to a range of network related threats, such as fraudulent activities, contract disputes or disclosure of information to the public; incomplete transmission, mis-routing, unauthorized message alteration, duplication or replay. Therefore, detailed risk assessments and careful determination of controls are indispensable. Controls required often include cryptographic methods for authentication and securing data transfer.

Application security is the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.Application security is important because today’s applications are often available over various networks and connected to the cloud, increasing vulnerabilities to security threats and breaches. There is increasing pressure and incentive to not only ensure security at the network level but also within applications themselves. One reason for this is because hackers are going after apps with their attacks more today than in the past. Application security testing can reveal weaknesses at the application level, helping to prevent these attacks. Security measures include improving security practices in the software development life cycle and throughout the application life cycle. All application security activities should minimize the likelihood that malicious actors can gain unauthorized access to systems, applications or data. The ultimate goal of application security is to prevent attackers from accessing, modifying or deleting sensitive or proprietary data. Any action taken to ensure application security is a countermeasure or security control. Security control can be defined as a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

countermeasures include the following:

  • firewalls
  • encryption and decryption programs
  • antivirus programs
  • spyware detection and removal programs
  • biometric authentication systems

Types of application security
Different types of application security features include authentication, authorization, encryption, logging, and application security testing. Developers can also code applications to reduce security vulnerabilities.

Authentication: When software developers build procedures into an application to ensure that only authorized users gain access to it. Authentication procedures ensure that a user is who they say they are. This can be accomplished by requiring the user to provide a user name and password when logging in to an application. Multi-factor authentication requires more than one form of authentication—the factors might include something you know (a password), something you have (a mobile device), and something you are (a thumb print or facial recognition).
Authorization: After a user has been authenticated, the user may be authorized to access and use the application. The system can validate that a user has permission to access the application by comparing the user’s identity with a list of authorized users. Authentication must happen before authorization so that the application matches only validated user credentials to the authorized user list.
Encryption: After a user has been authenticated and is using the application, other security measures can protect sensitive data from being seen or even used by a cybercriminal. In cloud-based applications, where traffic containing sensitive data travels between the end user and the cloud, that traffic can be encrypted to keep the data safe.
Logging: If there is a security breach in an application, logging can help identify who got access to the data and how. Application log files provide a time-stamped record of which aspects of the application were accessed and by whom.
Application security testing: A necessary process to ensure that all of these security controls work properly.

Organisations should carry out a risk assessment to determine the type of information security requirements appropriate to a particular application. While the content and types of information security requirements may vary depending on the nature of the application, the requirements should address the following:

  • The degree of trust assigned to the identity of specific entities.
  • Identification of the level of classification assigned to information assets to be stored on or processed by the application.
  • Whether there is a need to segregate the access to functions and information stored on the application.
  • Whether the application is resilient against cyber attacks such as SQL injections or unintentional interceptions such as buffer overflow.
  • Legal, regulatory and statutory requirements and standards applicable to the transaction processed, generated, stored, or completed by the application.
  • Privacy considerations for all parties involved.
  • Requirements for the protection of confidential data.
  • Protection of information when in use, in transit, or at rest.
  • Whether secure encryption of communications between all relevant parties is necessary.
  • Implementation of input controls such as input validation or performing integrity checks.
  • Carrying out automated controls.
  • Performing output controls, taking into account who can view outputs and the authorisation for Access.
  • Need to impose restrictions on the content of “free-text” fields to protect the dissemination of confidential data in an uncontrollable manner.
  • Requirements arising out of business needs such as logging of transactions and non-repudiation requirements.
  • Requirements imposed by other security controls such as data leakage detection systems.
  • How to handle error messages.

Organisations to take into account the following seven recommendations when an application offers transactional services between the organisation and a partner:

  • The degree of trust each party in the transaction requires in the other party’s identity.
  • The degree of trust required in the integrity of data communicated or processed and identification of a proper mechanism to detect any lack of integrity, including tools such as hashing and digital signatures.
  • Establishment of an authorisation process for who is allowed to approve the content of, sign, or sign off on essential transactional documents.
  • Maintaining the confidentiality and integrity of the critical documents and proving sending and receipt of such documents.
  • Protecting and maintaining the integrity and confidentiality of all transactions such as orders and receipts.
  • Requirements for what time period transactions shall be kept confidential.
  • Contractual requirements and requirements related to insurance.

When applications include payment and electronic ordering functionality, organisations should take into account the following:

  • Requirements ensure that confidentiality and integrity of order information are not compromised.
  • Determining an appropriate degree of verification to verify the payment details provided by a customer.
  • Preventing the loss or duplication of transaction information.
  • Ensuring that information related to information is stored outside of a publicly accessible environment such as on a storage media housed on the organisation’s own intranet.
  • Where organisations rely on a trusted external authority such as for the issuance of digital signatures, they must ensure that security is integrated across the entire process.

Application security controls are techniques to enhance the security of an application at the coding level, making it less vulnerable to threats. Many of these controls deal with how the application responds to unexpected inputs that a cybercriminal might use to exploit a weakness. A programmer can write code for an application in such a way that the programmer has more control over the outcome of these unexpected inputs. Fuzzing is a type of application security testing where developers test the results of unexpected values or inputs to discover which ones cause the application to act in an unexpected way that might open a security hole.When applications are accessed through networks, they are vulnerable to threats such as contract disputes, fraudulent activities, mis-routing, unauthorized changes to the content of communications, or loss of confidentiality of sensitive information. Organisations to perform comprehensive risk assessments to identify appropriate controls such as the use of cryptography to ensure the security of information transfers.The information involved in application service transactions must be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay. Additional protection is likely to secure application service transactions (not necessarily just financial transactions). These may include; Use of electronic signatures, Use of encryption; and Use of secure protocols. The ongoing monitoring of such transactions in a near to real-time manner is also likely to be required.

Application developers perform application security testing as part of the software development process to ensure there are no security vulnerabilities in a new or updated version of a software application. A security audit can make sure the application is in compliance with a specific set of security criteria. After the application passes the audit, developers must ensure that only authorized users can access it. In penetration testing, a developer thinks like a cybercriminal and looks for ways to break into the application. Penetration testing may include social engineering or trying to fool users into allowing unauthorized access. Testers commonly administer both unauthenticated security scans and authenticated security scans (as logged-in users) to detect security vulnerabilities that may not show up in both states.

Leave a Reply