It is better to address the entire organization’s availability, confidentiality, integrity and authenticity (collectively: security) concerns than to test individual applications for security concerns.

  • ITIL and ITSM World IT Infrastructure Library (ITIL) is a series of documents that are used to aid the implementation of a framework for IT Service Management (ITSM).
  • Critical Security Controls from the Council on CyberSecurity
  • Security Risk Analysis
  • ISO 17799
  • CERT OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. Business Continuity Planning
  • Open Group’s Open FAIR Standard for risk analysis
  • Information Systems Security Assessment Framework (ISSAF) seeks to evaluate the organization’s information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
  • NIST SP 800-34 Contingency Planning Guide for Information Technology Systems (Business Continuity Planning)
  • NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
  • The National Security Agency (NSA) InfoSec Assessment Methodology (IAM) was designed specifically for Federal Information Security Management Act (FISMA) compliance.
  • Sherwood Applied Business Security Architecture (SABSA) SABSA: the What, Why, How, Who, Where and When and of Contextual, Conceptual, Logical, Physical, Component and Operational
  • Zachman International Zachman Architecture Framework: the What, How, When, Who, Where, and Why of Identification, Definition, Representation, Specification, Configuration and Instantiation
  • Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
  • w3af Web Application Attack and Audit Framework
  • Common Vulnerability Reporting Framework (CVRF)
  • Microsoft offers a Security Assessment Tool, useful for even non-Microsoft environments.
  • Microsoft Security Development Lifecycle Procedures for incorporating security into software development. Tools to support steps in the lifecycle as well.
  • 2011 IT Security Best Practices Assessment
  • Information security “best practices”, such as ISO (International Organization for Standardization)/IEC (International Electro technical Commission) 17799 and ISF (Information Security Forum) The Standard of Good Practice for Information Security
  • Organizations continue to invest in traditional, layered security infrastructure — firewalls, intrusion detection systems (IDSs), network behavior anomaly detection (NBAD) solutions, and security information and event manager (SIEM) technology. See Narus‘ approach with nSystem cyber security technology.

One Response to Framework

  1. […] Web Application Testing Remember that application availability, confidentiality, integrity and authenticity (collectively: security) is best addressed in the organization; see Framework. […]