2. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
1.Define the Risk that the user might face while using this
application.
2.How to minimize this risk
3.Follow a SSDLC
4.Maintain the CIA
5.Implementing the ISO 27001 controls
3. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
Define the Risk that the user might face while using this
application
This should be done by making an assessment to define all probable risks that the
user might be in when using our application.
• Define the users of the application; the patient the Medical staff and the patient’s
relatives
• Define the risks that our users might be in if they use our application.
• User’s sensitive data might be leaked.
• An attacker might disclose sensitive data for a well known person to public
• Mobile phone might be lost or stolen
• Source code might contain a vulnerability
• Mobile application might be unavailable, or server is down
• User’s data might be changed or altered by an attacker or user misused
4. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
How to minimize this Risk
By Applying security controls to the application
These security controls should be for the development, implementation, Usage and
maintenance of the application.
You have to follow a secure Development lifecycle
5. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
SDLC
Software Development Lifecycle
Definition: methodologies provide a systematic framework
to design, develop and deliver software applications, from
beginning to end.
We need to add the value of the security to this lifecycle.
6. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
Maintain the CIA triad
What is the CIA?
Confidentiality
Integrity
Availability
The CIA triad is the backbone that we will depend on it when talking about security.
7. Presented by Mouhammad Esayed
5/30/2020Mouhammad Esayed
Implementing the ISO 27001 controls
What are the controls that we can use from ISO27001 that will help in securing our
application.
A.10 Cryptography
A.12 Operations Security
A.13 Communication Security
A.14 System acquisition, development and maintenance
A.17 Information security aspects of business continuity
A.18 Compliance