The Brand New ÖNORM A 7700 Is Live

news SSDLC

…and honestly, this wasn’t an easy feat! It took our working group (AG 001.77) – which I was honored to chair – more than two years from start to finish. At least a dozen security experts were active members of the group, bringing in their specific knowledge to the individual areas. At times it was a cumbersome but ultimately very fruitful endeavor.

Code of the brand new ÖNORM A 7700 on green background - SEC Consult

The previous version of the ÖNORM A 7700 was released in December 2008. In a fast-paced field like information security, some would call this quite dated. Therefore, we decided to not only overhaul the standard completely but also address the limitations in scope, which we have witnessed over the years. The previous version was solely focused on the application security aspects of web applications, neglecting the underlying requirements for secure operations. Data protection aspects have also been completely out of scope so far.

We decided to take the opportunity to add those topics to the new version of the ÖNORM, called ÖNORM A 7700:2019. This allowed us to cover more ground but also introduced a whole new level of complexity into the standardization process. Nevertheless, we took the necessary time to get it right and, in the end, we managed to align everything in a conclusive series of standards.
The ÖNORM A 7700 was split into four distinct parts, to separate the individual topics. While the ÖNORM A 7700-1 contains the terminology required for the rest of the series, ÖNORM A 7700-2 to ÖNORM A 7700-4 contain the actual requirements:

  • ÖNORM A 7700-1: Web Applications – Terms and definitions
  • ÖNORM A 7700-2: Web Applications – Data protection requirements
  • ÖNORM A 7700-3: Web Applications – Security requirements
  • ÖNORM A 7700-4: Web Applications – Requirements for secure operations

We stuck to our guns when it came to the orientation and goals of the standard. As a requirement document that defines the state-of-the-art, the ÖNORM A 7700 must define what to do, not how to do it. This approach has some critics and I do understand their sentiment. If you are looking for specific guidance, you would like to have more details – in an ideal world even a technology-specific how-to.

That’s not the intention of an ÖNORM though. The clear goal of such a standard is defining the requirements as generic as possible, without any unnecessary restrictions. If you need more specific recommendations, there are bettersuited resources available. But if you are looking for a clear-cut, generic requirements document, look no further!

1    New Data Protection Requirements For Web Applications

Nevertheless, one year after the release of the GDPR, people were longing for concrete implementation guidelines. Concerning data protection for web applications, we made it our mission to deliver such ground rules.

The result is ÖNORM A 7700-2. Our goal was providing the requirements without being overly redundant with the GDPR itself. We address the specific needs of developers who have to consider data protection requirements during implementation, while also providing cross-references to the GDPR.

While the standard is – for obvious reasons – focused on web applications that collect personal data, there is also guidance for web applications that do not. Especially identifying and tracking users need to be addressed, even when personal data is not explicitly collected.

In the year 2019, there is one thing we need more of – data protection requirements!
said no one ever

Besides the normative requirements, the ÖNORM A 7700-2 also offers informative guidance based on selected examples (e.g. providing a newsletter). It must be noted that data protection relies heavily on the resilience of the application and underlying infrastructure against attacks. Therefore, the ÖNORM A 7700-2 explicitly mentions, that data protection compliance also requires compliance with ÖNORM A 7700-3 and ÖNORM A 7700-4.

2      Overhaul Of Application Security Requirements

Those of you familiar with the old ÖNORM A 7700:2008 will recognize the new ÖNORM A 7700-3:2019 as the updated and significantly improved version of the former standard. While none of the established topics have been dropped, new important aspects were introduced throughout the document.

One attack vector that wasn’t previously covered explicitly is Session-Riding. That has been troublesome in the past, as its primary manifestation in the form of Cross-Site-Request-Forgery (CSRF) is a wide-spread problem in web applications. The new version of the standard closes this gap.

Some other noteworthy improvements are the introduction of Click-Jacking protection, protection against insecure serialization and deserialization, and specific requirements regarding logging of security events.

If you use the ÖNORM A 7700 as a requirement document for RFPs, you’ll also be happy to find a section that defines specific requirements concerning security-relevant documentation – an area often neglected by vendors.

3      New Requirements For Secure Operations Of Web Applications

So far, the scope of the ÖNORM A 7700 was limited to the application itself. With the introduction of ÖNORM A 7700-4:2019, the scope was expanded to secure operations as well. One of the bigger challenges during the standardization process was defining what really should be included in the ÖNORM itself, and which aspects should be handled by other standards and guidelines. Replicating controls from management standards like the ISO/IEC 27002:2013 was not reasonable. Therefore, we decided to require an established security management system as a baseline for compliance with ÖNORM A 7700-4. All other requirements are built on top of it.

Those requirements include the following topics among others:

  • Enforcing the minimum principle in several areas
  • Selection and maintenance of programming languages, frameworks, and other components
  • Secure configuration and system hardening
  • Secure administration
  • Protecting data in transit and data at rest
  • Configuration of HTTP header
  • Logging

 

As already mentioned in the introduction, we are talking about generic requirements defining what to do, not how to do it. You won’t find technology-specific guidance in an ÖNORM, that’s not the goal. But if you need a comprehensive list of generic requirements as a starting point for your requirements engineering process or as a binding specification for your vendors, the ÖNORM A 7700-4:2019 is for you. To add even more value to the document, we referenced more specific guidelines like CIS-Benchmarks and technical guidelines from NIST and the BSI as well.

4    Certification Terminated By Austrian Standards

There is one more important change concerning the new ÖNORM A 7700:2019. Austrian Standards decided to terminate the certification process. This means that it is no longer possible to obtain a certificate from Austrian Standards based on ÖNORM A 7700, because the old version is superseded, and the new version does not allow certification anymore. If you are the proud owner of a valid ÖNORM A 7700 certificate from Austrian Standards, take good care of it – it will probably become a rarity with collector’s value.

 

About the author

Thomas Kerbl
Thomas Kerbl
SEC Consult Group
Principal Security Consultant

Thomas has worked as a security consultant at SEC Consult for over 15 years. In his role as principal security consultant and team leader, he does not only lead a team of experts, but is also still involved in customer projects hands-on. Currently he is engaged in projects concerning “Secure Software Development” and “Security Architecture” where he incorporates his experiences as a former penetration tester and security requirements engineer.