Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword or section
Like this
6Activity

Table Of Contents

0 of .
Results for:
No results containing your search query
P. 1
Application Security Requirements

Application Security Requirements

Ratings:
(0)
|Views: 188|Likes:
Published by Daniel Checchia

More info:

Published by: Daniel Checchia on Jul 28, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/09/2013

pdf

text

original

 
 
DRAFTRECOMMENDED STANDARDAPPLICATION SECURITY REQUIREMENTS
Version 2.0
11 March 2003DEFENSE INFORMATION SYSTEMS AGENCYApplications and Computing Security DivisionCenter for Information Assurance Applications5275 Leesburg PikeFalls Church, VA 22041
(This document is for review. Comments, if any, can be sent toJainD@ncr.disa.milorKoehlerS@ncr.disa.mil)
 
 Draft Recommended Application Security Requirements
, Version 2.0 14 March 2003
FOR INFORMATION PURPOSES
i
TABLE OF CONTENTS
Page
 Version 2.0..............................................................................................................................................................................11. INTRODUCTION............................................................................................................................................................................11.1 Purpose........................................................................................................................................................................................11.2 Scope...........................................................................................................................................................................................21.3 Intended Audience.....................................................................................................................................................................21.4 Document Structure..................................................................................................................................................................22. BACKGROUND...............................................................................................................................................................................42.1 DISA’s Role in Application Security.....................................................................................................................................42.2 What is an Application?...........................................................................................................................................................42.3 Goal of Application Security...................................................................................................................................................43. VULNERABILITIES, SECURITY SERVICES, AND ASSURANCE REQUIREMENTS..............................................73.1 Application Vulnerabilities......................................................................................................................................................73.1.1 Common Vulnerabilities..................................................................................................................................................73.1.2 Causes of Vulnerabilities...............................................................................................................................................123.1.3 Discovering Application Vulnerabilities....................................................................................................................133.2 Application Security Services...............................................................................................................................................133.2.1 Identification and Authentication.................................................................................................................................133.2.2 Authorization...................................................................................................................................................................143.2.3 Access Control................................................................................................................................................................143.2.4 Confidentiality.................................................................................................................................................................143.2.5 Integrity............................................................................................................................................................................153.2.6 Availability......................................................................................................................................................................153.2.7 Accountability.................................................................................................................................................................153.2.8 Non-Repudiation.............................................................................................................................................................153.3 Assurance of Application Security Mechanisms...............................................................................................................153.3.1 Mission Assurance Categories......................................................................................................................................163.3.2 Sensitivity Levels............................................................................................................................................................173.3.3 Levels of Concern and Levels of Robustness............................................................................................................173.3.4 Strength of Cryptography..............................................................................................................................................193.3.5 X.509 Certificate Assurance Levels............................................................................................................................204. APPLICATION SECURITY REQUIREMENTS....................................................................................................................214.1 Assistance for Implementing these Requirements.............................................................................................................234.2 Exclusions from this Document............................................................................................................................................234.3 Application Interaction with Underlying Host...................................................................................................................244.4 General Use of Cryptography................................................................................................................................................254.5 Design and Coding..................................................................................................................................................................284.6 Identification and Authentication (I&A).............................................................................................................................384.7 Authorization and Session Control.......................................................................................................................................464.8 Access Control.........................................................................................................................................................................484.9 Confidentiality.........................................................................................................................................................................534.10 Integrity...................................................................................................................................................................................56
 
 Draft Recommended Application Security Requirements
, Version 2.0 14 March 2003
FOR INFORMATION PURPOSES
ii
4.11 Availability.............................................................................................................................................................................614.12 Accountability........................................................................................................................................................................664.13 Non-Repudiation...................................................................................................................................................................704.14 Preparation for Deployment................................................................................................................................................71(Page intentionally blank)..................................................................................................................................................................73APPENDIX A: ACRONYMS AND ABBREVIATIONS...........................................................................................................74APPENDIX B: REFERENCES........................................................................................................................................................77B.1 DOD-Wide Policy and Guidance.........................................................................................................................................77B.2 DISA Policy and Guidance...................................................................................................................................................78B.3 Intelligence Community Policy and Guidance..................................................................................................................79B.4 Civilian Agency Policy and Guidance................................................................................................................................79B.5 Best Practices...........................................................................................................................................................................79
LIST OF FIGURES
Page
Figure 2-1. Typical Application Architecture.................................................................................................................................6
LIST OF TABLES
Page
Table 3-1. Common Application Vulnerabilities............................................................................................................................8Table 3-2. Mission Assurance Categories......................................................................................................................................16Table 3-3. Levels of Concern and Levels of Robustness............................................................................................................18

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->