REVIEW: "Application Security in the ISO27001 Environment", Vinod Vasudevan et al

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Nov 20, 2008.

  1. BKASI27E.RVW 20081010

    "Application Security in the ISO27001 Environment", Vinod Vasudevan et
    al, 2008, 978-1-905356-35-5, UK#39.95
    %A Vinod Vasudevan
    %A Anoop Mangla
    %A Firosh Ummer
    %A Sachin Shetty
    %A Sangita Pakala
    %A Siddarth Anbalahan
    %C Unit 3, Clive Court, Bartholomews's Walk, Ely, UK CB7 4EH
    %D 2008
    %G 978-1-905356-35-5 1-905356-35-8
    %I IT Governance Publishing
    %O UK#39.95 +44(0)845 070 1750
    %O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
    %P 216 p.
    %T "Application Security in the ISO27001 Environment"

    The preface states that this book directs the reader as to how to
    secure applications as part of an overall information security
    management system (ISMS).

    As could be surmised by the use of the ISMS acronym, chapter one
    provides us with a terse introduction to the ISO standards 27001 and
    27002. Chapter two then presents a rough outline of a project to
    develop an ISMS. A limited version of a qualitative risk assessment
    process is in chapter three. Chapter four notes that applications can
    be attacked. (The careful reader will note that this is the first
    time that applications are mentioned in the book.)

    Chapter five lists a few security controls (with references to
    somewhat related sections of ISO 27001) that may be relevant to
    certain aspects of application security. The explanations of the
    individual controls are brief. A mention of metrics is added to the
    mix, but an allusion only: those listed appear to be metrics solely
    for the purpose of generating numbers, and their utility is extremely
    limited. Five attacks on applications are outlined in chapter six,
    which relies heavily on screenshots. (The screenshots don't do much
    to explain the attacks.) Chapter seven is a rather random look at
    miscellaneous controls that might be used in a secure software
    development life cycle. An attempt at a simple process which could be
    used to determine all possible threats to an application (and how to
    test for vulnerability to all of them) makes up chapter eight. (As
    anyone who has tried this knows, it is easier said than done.)
    Chapter nine is a grab bag of tips for secure coding, along with
    occasional bits of sample code which may (or may not) illustrate the
    associated point.

    This book doesn't really say much about either application security or
    the ISO 27001 standard. If you want to investigate developing secure
    code, you would be better served by Ian Sommerville's "Software
    Engineering" (cf. BKSFTENG.RVW) or "Software Security: Building
    Security In" by Gary McGraw (cf. BKSWSBSI.RVW). According to a
    response to the draft review from the publisher, the book
    was developed more for ISO 27001 project staff than for developers.
    For information about ISO 27001, I would recommend you read the
    standard itself.

    copyright Robert M. Slade, 2008 BKASI27E.RVW 20081010


    "Dictionary of Information Security," Syngress 1597491152
    ============= for back issues:
    [Base URL] site
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Nov 20, 2008
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Review: Battalion-101~ S Notebook Review

    Silverstrand, Jun 20, 2005, in forum: The Lounge
    Jun 20, 2005
  2. Silverstrand
    Jun 20, 2005
  3. Thad

    DP Review Leica Digilux 2 Review

    Thad, May 11, 2004, in forum: Digital Photography
    May 12, 2004
  4. Mike McGee
    Mike McGee
    Dec 4, 2003
  5. Replies: