Cyber Security Frameworks Demystified Part 7 - ISO/IEC 27034

Show Notes

In this episode, we explain what ISO/IEC 27034 is, why secure software development is critical and how this standard helps organisations stay protected.

Duration: 0:19:53

Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this. 

Thank you for listening. 
WeCyberYou! Team

Like and follow us to be notified when a new episode is released on this channel.

Transcript

SPEAKER_00 0:00

Welcome to the We Cyber You Unlocked Podcast. I am your host, and today we're jumping into a brand new deep dive.

SPEAKER_01 0:07

Hi, everyone. It is great to be here as always.

SPEAKER_00 0:09

So imagine you are building like your absolute dream house, right? Oh, sure. You wouldn't pour the concrete foundation, uh, construct the walls, paint the living room, move all your beautiful new furniture in. And then as you are just sitting on the couch, relaxing, look around and say, Hey, how do we install the wiring for the alarm system?

SPEAKER_01 0:28

Right. Because by then I mean you'd have to tear down the drywall you just painted.

SPEAKER_00 0:32

Exactly. You are retrofitting, it's messy, it's massively expensive. And honestly, it just never works as well as if you had planned for it in the architectural drawings from day one.

SPEAKER_01 0:42

Aaron Powell It is a complete structural nightmare. And yet, you know, for a very long time, that is exactly how the software industry treated application security.

SPEAKER_00 0:52

Oh, totally.

SPEAKER_01 0:53

They would just build the entire app, paint the digital walls, get it all ready for the user, and then uh try to bolt a security system onto the outside of it right before launch.

SPEAKER_00 1:02

Which brings us to our mission today. For this deep dive, we are pulling the most critical insights from a single highly technical source. It's an overview of a global standard known as ISO 27034.

SPEAKER_01 1:14

Yeah, the big one.

SPEAKER_00 1:16

And whether you are a software developer, a project manager, or just someone listening who is incredibly curious about why so many apps seem to get hacked these days, well, this is the blueprint that aims to stop vulnerabilities before they even see the light of day.

SPEAKER_01 1:29

Yeah, that's the goal.

SPEAKER_00 1:30

Okay, let's unpack this. Because to really understand why this standard matters to you, we first need to figure out where it lives within the broader, you know, universe of cybersecurity rules.

SPEAKER_01 1:40

Right. And to provide that context, we have to look at the broader ISO 27000 family, which is essentially, well, it's the gold standard for global cybersecurity frameworks. Right. But it's a hierarchy, right? You have to look at it in layers. So at the very top, you have ISO 2701. That is the big picture. It defines what overall security management system an organization needs to implement to keep their data safe.

SPEAKER_00 2:03

So ISO 270001 is like the ultimate bird's eye view.

SPEAKER_01 2:07

Yeah, exactly.

SPEAKER_00 2:07

It is the mandate that just says you must have a security program.

SPEAKER_01 2:10

Exactly that. Then stepping down a level into the more uh practical realm, you have ISO 27002.

SPEAKER_00 2:19

Okay.

SPEAKER_01 2:20

That standard defines how to implement general security controls across the entire organization. So it covers things like physical security for the office building, um, employee background checks, and general network defenses.

SPEAKER_00 2:33

Got it. So it's still pretty broad.

SPEAKER_01 2:34

Yeah, very broad. But then we step down one more level and arrive at ISO 27034. And this one is entirely laser focused. It does not care about the physical office building or the broad network. It is specifically about how to secure software applications.

SPEAKER_00 2:49

Right.

SPEAKER_01 2:50

And what's fascinating here is the underlying reason this highly specific standard had to be created in the first place. I mean, modern cyber attacks heavily target applications, specifically web apps, mobile apps, and APIs.

SPEAKER_00 3:00

Aaron Powell, which are the exact things you and I literally tap, swipe, and click on all day long.

SPEAKER_01 3:04

Aaron Powell Yes. User interfaces and you know the hidden data pipes connecting them. Attackers are constantly exploiting application layer risks.

SPEAKER_00 3:11

Aaron Powell Like what kind of risks?

SPEAKER_01 3:12

Aaron Powell Well, the source material specifically calls out threats like SQL injection and cross-site scripting or XSS, as well as uh authentication bypasses. They look for insecure APIs to basically slip through the cracks.

SPEAKER_00 3:26

Aaron Powell Okay, let's pause there for a second because terms like SQL injection and cross-site scripting, I mean, they get thrown around a lot in tech, but we need to understand the mechanics of why they are so dangerous. Sure. If I understand correctly, and SQL injection is basically like walking up to a security guard, handing them a piece of paper that says, I am the boss, give me the master keys. And the guard actually does it because they don't know how to distinguish between a regular visitor and an administrative command.

SPEAKER_01 3:54

Aaron Powell That is a highly accurate way to visualize it. Yeah.

SPEAKER_00 3:56

Trevor Burrus, Jr.: So the application accidentally runs malicious database code because it just wasn't built to filter it out.

SPEAKER_01 4:02

Aaron Powell Right. With a SQL injection, the hacker types database commands into a standard text box, like uh a username field or a search bar.

SPEAKER_00 4:10

Aaron Powell Oh, wow. Just right in the open.

SPEAKER_01 4:12

Aaron Powell Yeah. And if the application isn't built securely, it passes that command directly to the database, which then just hands over user passwords, credit card numbers, or whatever else the hacker asks for.

SPEAKER_00 4:22

That is terrifying. And what about cross-site scripting?

SPEAKER_01 4:25

Aaron Powell So cross-site scripting is a similar concept, but it attacks the user rather than the database. A hacker injects a malicious script into a trusted website. And when you visit that site, your browser runs the script, potentially stealing your session cookies or, you know, logging your keystrokes.

SPEAKER_00 4:41

Yikes. So let me see if I can map out this whole ISO hierarchy with an analogy just to make sure we're on the same page.

SPEAKER_01 4:47

Go for it.

SPEAKER_00 4:48

If ISO 2701 is a city planner's zoning laws dictating where the commercial and residential zones go, setting the broad rules, right? And ISO 2702 is the general building code that says every commercial building needs fire exits and smoke detectors.

SPEAKER_01 5:03

Yeah. Tracking so far.

SPEAKER_00 5:04

Then ISO 27034 is the highly detailed architectural blueprint for constructing a bank vault. I mean, is this standard basically an admission that our previous general security rules just weren't cutting it for complex software?

SPEAKER_01 5:18

It is absolutely an admission of reality. General building codes do not tell you how to build a bank vault. And general network security policies do not tell a software engineer how to write secure code to prevent and SQL injection.

SPEAKER_00 5:29

Aaron Powell That makes total sense.

SPEAKER_01 5:39

You cannot just put a firewall around a badly written application and call it secure. The code itself has to be resilient.

SPEAKER_00 5:46

Aaron Powell Which brings up a massive logistical problem because building that highly customized bank vault from scratch every single time an organization writes a new piece of software sounds incredibly exhausting.

SPEAKER_01 5:56

Oh, it would be impossible.

SPEAKER_00 5:58

Right. If a company has thousands of developers, how do they standardize this? In the source material, there are two foundational acronyms that serve as the master blueprints for this whole operation, the ONF and the ANF.

SPEAKER_01 6:09

Yeah, acronyms are basically the lifeblood of cybersecurity, unfortunately.

SPEAKER_00 6:13

Always.

SPEAKER_01 6:14

But the mechanics behind these two are incredibly logical once you break them down. So ONF stands for Organization Normative Framework. This is the absolute foundation of ISO 27034. It is the master security blueprint for all applications within an entire organization.

SPEAKER_00 6:32

Okay.

SPEAKER_01 6:33

It defines the overarching security policies, the standardized processes, and the reusable security requirements.

SPEAKER_00 6:39

Reusable being the magic word there, I assume.

SPEAKER_01 6:41

Yes, exactly. And then branching off from that, you have the ANF, which stands for the Application Normative Framework.

SPEAKER_00 6:47

So that's for the specific app.

SPEAKER_01 6:48

Right. Each individual application a company builds has its own ANF, which is derived directly from that master ONF blueprint. The ANF includes the specific risks for that particular app, the required security controls it needs, and you know, any specific regulatory compliance requirements it has to meet.

SPEAKER_00 7:05

Okay, I want to make sure I have the mechanism right here. Let's say we are looking at a major global automaker. The ONF would be the automaker's universal non-negotiable safety standards, saying every single vehicle we produce, no matter what, must have brakes, seat belts, and a certain crash test rating. Yep, exactly. But the ANF is the specific implementation. So the ANF for a heavy-duty family minivan is going to require different specific safety features and roll cage designs than the ANF for a lightweight, high-performance sports car. Right. They both inherit the master rules, but they apply them based on what the vehicle actually does.

SPEAKER_01 7:41

Aaron Powell That is exactly how it works. It is the core principle of standardization, which is one major pillar of ISO 27034. Reusable frameworks reduce inconsistency and errors. I mean, if you have 50 different development teams scattered across the globe, you do not want 50 different interpretations of what secure means.

SPEAKER_00 7:59

That sounds like a recipe for disaster.

SPEAKER_01 8:00

Oh, it is. So the ONF sets the baseline. It guarantees that every team is pulling from the same library of approved security controls. Then the ANF tailors that baseline to the unique reality of the specific application being built. It's just a highly efficient way to scale security across a massive enterprise without reinventing the wheel.

SPEAKER_00 8:21

Here's where it gets really interesting because having beautiful blueprints is great. A master ONF and a tailored ANF sound perfect on paper.

SPEAKER_01 8:30

Yeah, on paper.

SPEAKER_00 8:31

But blueprints are just paper. Eventually, someone has to sit down at a keyboard and actually write the code. And if a developer is rushing to meet a Friday deadline, they might just ignore the blueprint entirely. So how does the standard actually force developers to use the blueprint?

SPEAKER_01 8:45

Well, the source material outlines the application security lifecycle to explain how this plays out chronologically. It breaks it down into five stages, and it uses a really helpful real-world example of a fintech company building a new payment application.

SPEAKER_00 8:59

Okay, let's walk you through this mechanism. So stage one is design.

SPEAKER_01 9:03

Right. And in the design stage, the development and security teams sit down together to do threat modeling and plan a secure architecture. You're essentially planning for the worst possible scenarios before a single line of code is ever written.

SPEAKER_00 9:16

That's super proactive.

SPEAKER_01 9:18

Yeah. So for our FinTech app example, specifically imagine building a transfer funds feature. Threat modeling means asking, what happens if an attacker intercepts the data packet while the funds are moving and changes the recipient account number?

SPEAKER_00 9:31

Wow. Yeah.

SPEAKER_01 9:32

You identify that risk, and the design dictates that the data must be heavily encrypted in transit. Makes sense.

SPEAKER_00 9:38

Then comes stage two, development. And this isn't just typing out the feature. The standard mandates secure coding practices and rigorous code reviews. Exactly. So going back to our transfer funds button, the developer isn't just writing code to make the transfer happen. They are writing code specifically to withstand an attack. They are implementing strict input validation so that if a hacker tries to type in SQL injection into the amount to transfer box, the application immediately rejects it instead of processing it.

SPEAKER_01 10:07

Which leads directly into stage three, testing. You do not just run the app and say, well, it didn't crash, would ship it. You perform deep vulnerability assessments and penetration testing.

SPEAKER_00 10:17

Aaron Powell Right. You're trying to break it.

SPEAKER_01 10:19

Yeah, you actively hire security professionals to try and break your own application before you launch to the public. They will attack that transfer funds feature from every conceivable angle to ensure the controls you built in the development phase actually hold up.

SPEAKER_00 10:33

And the source also mentions the OWASP top ten during this testing phase. For those who aren't familiar, OWASP is essentially the industry's master list of the ten most critical web application security risks. It is the cheat sheet of the worst software flaws out there.

SPEAKER_01 10:50

It really is.

SPEAKER_00 10:51

So during stage three, they are explicitly checking the app against that master list to ensure none of those critical flaws made it through.

SPEAKER_01 10:57

Yes. And assuming it passes, you move to stage four, deployment.

SPEAKER_00 11:01

Finally going live.

SPEAKER_01 11:03

The application is going live. But ISO 270304 requires secure configuration and environment hardening. You are locking down the servers, the databases, and the cloud environments where the application lives. You are disabling default passwords and uh closing unnecessary network ports.

SPEAKER_00 11:20

And finally, stage five, maintenance. The app is out in the wild generating revenue, but the job isn't remotely done, is it?

SPEAKER_01 11:28

Never.

SPEAKER_00 11:29

The source emphasizes patch management and continuous monitoring. You have to keep updating the application as brand new threats emerge because the hackers certainly aren't taking days off.

SPEAKER_01 11:38

No, they are not. Those five stages represent a profound philosophical shift in software development. Security is embedded sequentially across the entire life cycle. It is completely integrated. It is not just a frantic testing phase at the very end of the line.

SPEAKER_00 11:52

Now, looking at the actual controls mentioned in the source for that fintech app, things like multi-factor authentication mechanisms, heavy duty encryption, strict session management where it logs you out after two minutes of inactivity, I mean, these are intense security measures.

SPEAKER_01 12:06

Very intense.

SPEAKER_00 12:07

But the standard heavily emphasizes taking a risk-based approach. So does that mean the fintech payment app gets the heavy-duty encryption and strict session management? Whereas a simple internal company weather app made by the same organization might get a much lighter version of the ANF.

SPEAKER_01 12:23

If we connect this to the bigger picture, that is the exact brilliance of the risk-based approach. Security decisions under ISO 2703 are entirely dependent on three specific factors. Which are data sensitivity, business impact, and the threat landscape. A FINIT application handling real bank routing numbers and live monetary transactions, well, it has a massive business impact if breached, and it handles highly sensitive data. It requires the most stringent application security controls possible.

SPEAKER_00 12:52

Right. It needs the 10-ton steel vault door.

SPEAKER_01 12:54

Exactly. But a weather app that simply pings a public server to show employees the local temperature.

SPEAKER_00 13:00

Yeah, who cares if that gets hacked?

SPEAKER_01 13:02

Well, the business impact of a breach there is negligible, right? And the data is completely public. So the ONF allows the organization to apply a lighter, more appropriate ANF to that weather app. It saves development time, it saves computing resources, and it prevents the security team from becoming a bottleneck while still maintaining a baseline of safety. Proportional security is efficient security.

SPEAKER_00 13:24

And the source points out that this life cycle aligns seamlessly with modern development methodologies. It drops a few more acronyms, specifically noting that ISO 27034 is highly compatible with DevSecOps and the secure software development lifecycle, or SSDLC.

SPEAKER_01 13:40

Yeah, more alphabet soup.

SPEAKER_00 13:42

Right. But basically, these are modern philosophies that blend development, security, and operations into one continuous collaborative loop rather than treating security as a separate, isolated department that just says no to everything. ISO 27034 essentially speaks the language that modern development teams already use.

SPEAKER_01 14:00

That alignment is crucial because if a security framework doesn't integrate into a developer's daily workflow, the developer will simply find a way to work around it.

SPEAKER_00 14:08

Okay. I'm gonna play devil's advocate for a minute here.

SPEAKER_01 14:11

Go for it.

SPEAKER_00 14:12

Because on paper, sitting in a podcast studio, this all sounds absolutely flawless. You build a master blueprint, you tailor it to each specific app based on risk, you integrate security into every single phase of development from design to maintenance, and boom, you prevent vulnerabilities before deployment.

SPEAKER_01 14:30

Sounds great, right?

SPEAKER_00 14:31

It sounds perfect. But if it is this perfect, why doesn't every single company in the world use it flawlessly? What is the reality check here? There has to be friction.

SPEAKER_01 14:41

Oh, the reality check is massive friction. The source material outlines several significant challenges in implementation.

SPEAKER_00 14:48

I figure.

SPEAKER_01 14:49

First and foremost, building an organization normative framework from scratch requires a staggering amount of organizational commitment. It takes time, money, and executive buy-in. This cannot be a side project for a few engineers.

SPEAKER_00 15:03

Right. It's a huge undertaking.

SPEAKER_01 15:05

Second, it needs deep fundamental integration with development teams, which requires changing corporate culture. Furthermore, the standard itself can be highly complex to set up without proper existing security frameworks in place, and it demands relentless ongoing maintenance.

SPEAKER_00 15:22

I can totally see the cultural friction there. I mean, getting developers and security teams to agree is notoriously difficult. Developers are usually evaluated and incentivized based on speed. They want to push updates, ship new features, and get the product to the user as fast as possible.

SPEAKER_01 15:38

Yeah, move fast and break things.

SPEAKER_00 15:39

Exactly. But security teams are evaluated on zero breaches. They want to move safely, test everything repeatedly, and lock things down. So doesn't implementing a massive complex framework like ISO 27034 risk slowing down innovation and deeply frustrating the development teams?

SPEAKER_01 15:57

It is a very valid concern, and to be blunt, it happens frequently if the standard is implemented poorly. If the security team just throws the ONF over the fence and demands compliance, well, development grinds to a halt. However, the standard accounts for this through a mechanism called application security verification. This involved integrating automated testing, audits, and validation processes directly into the developer's tools to ensure the controls actually work without requiring manual delays.

SPEAKER_00 16:23

Ah, automation. That helps.

SPEAKER_01 16:26

It does. Now, yes, setting up the ONF and ANF takes considerable time initially. It will absolutely feel like a slowdown during year one. But you have to look at the long-term payoff.

SPEAKER_00 16:36

And what is the actual measurable payoff for all that initial cultural and operational friction?

SPEAKER_01 16:41

Aaron Powell Well, the source lists several major tangible benefits. First, organizations gain a significantly reduced risk of catastrophic application breaches.

SPEAKER_00 16:49

Which is huge.

SPEAKER_01 16:50

Exactly. Second, they produce software with vastly improved security quality, which means less time scrambling to fix broken code after launch. Right. Third, they build stronger customer trust, which is an invaluable currency today. And finally, they achieve alignment with global standards, giving them much better compliance readiness for whatever regulatory audits or data privacy laws come their way.

SPEAKER_00 17:12

So it is a significant amount of pain and investment up front to avoid a catastrophic company-ending data breach later. It is paying for the alarm wiring during construction so you don't have to rebuild the house after a break-in.

SPEAKER_01 17:25

That is the trade-off. And this raises an important question about the nature of security itself. One of the key principles of ISO 270324 is continuous improvement.

SPEAKER_00 17:35

Okay.

SPEAKER_01 17:35

Security is never a destination. You do not just achieve ISO 27034 compliance, print out a certificate, frame it on the wall, and then pack up and go home.

SPEAKER_00 17:44

I wish.

SPEAKER_01 17:45

We all do. But the standard explicitly states that security must be continuously monitored, updated, and improved. The threat landscape shifts daily. A vulnerability that didn't exist yesterday might compromise your application tomorrow, which means your application normative frameworks have to evolve right alongside the threats.

SPEAKER_00 18:02

It is a living, breathing process, which honestly makes perfect sense when you look at how fast technology moves. Man, we have covered a massive amount of ground today. We started with the broad bird's eye view of the ISO universe and zoomed all the way down into the structural blueprints of writing code. Let's distill all of this down to the core takeaway. The source gives us a brilliant, concise definition. ISO 270304 is a global standard that provides a structured framework for building and maintaining secure applications throughout their entire life cycle.

SPEAKER_01 18:34

It represents the vital shift from reactive security, you know, chasing the hackers after they are already inside, to proactive security.

SPEAKER_00 18:43

So what does this all mean? It means that in a world where data is basically the most valuable commodity on earth, simply hoping an application is safe is no longer enough. Security has to be written into the very DNA of the software from day one. You have to plan for the worst, standardize your approach across your entire organization, and never ever stop monitoring the horizon for new threats.

SPEAKER_01 19:03

Will said.

SPEAKER_00 19:13

And make sure to visit WeSiberio.com for more content like that. We have a massive amount of resources waiting for you there.

SPEAKER_01 19:20

As we leave you today, I want to offer a final lingering thought to ponder on your own. Think about the applications you rely on every single day to run your life. Your mobile banking app, your private messaging tools, your work email, the apps that hold your personal photos, and your daily schedule. If every single one of those software developers was suddenly legally required to prove they followed a rigorous security by design framework like ISO 27034 from the very first line of code, well, how many of those apps do you think would actually pass the test? And how many would have to be taken offline tomorrow?