What is ÖNORM A7700?

ÖNORM A7700 is an Austrian standard that defines requirements for the security of web applications. It was developed by the Austrian Standards Institute, also known as Austrian Standards, and represents the current state of the art regarding web application security. The standard is divided into several parts covering different aspects of web application security, from basic concepts to detailed requirements for secure operation and data protection. Since its introduction, it has been considered an important guideline for companies that develop or operate web applications, particularly in security-critical areas such as the financial or public sector.

What parts does ÖNORM A7700 include?

ÖNORM A7700 consists of four parts that cover different areas of web application security. This structure enables a detailed examination of the individual security aspects that need to be considered during the development, operation, and maintenance of web applications. Each of these standards addresses specific security requirements and takes into account the constantly changing technological framework conditions.

ÖNORM A 7700-1: Terms

Part 1 of ÖNORM A7700 forms the foundation of the entire standard series by defining central terms used in the following parts. It is essential that all actors working with the standard have a common understanding of these terms to avoid misunderstandings. This part also covers important principles of web application security.

ÖNORM A 7700-2: Data Protection Requirements

Part 2 of the standard describes the requirements for web applications resulting from data protection regulations. With the introduction of the GDPR (General Data Protection Regulation), the protection of personal data has become a central concern in web application development. ÖNORM A 7700-2 helps developers meet these requirements in accordance with the state of the art and comply with current legal requirements.

ÖNORM A 7700-3: Information Security Requirements

Part 3 focuses on requirements arising from information security. This part deals with aspects such as confidentiality, integrity, and availability of information in web applications. It provides guidelines for implementing security measures to prevent threats such as data theft, unauthorized access, or data manipulation.

ÖNORM A 7700-4: Testing

The fourth and final part of ÖNORM A7700 deals with the testing of web applications. It establishes methods and criteria for verifying compliance with the security requirements defined in the previous parts. This part is particularly important for auditors and security experts who need to evaluate and certify the security of web applications.

What are the security technical requirements of ÖNORM A7700?

ÖNORM A7700 defines comprehensive security technical requirements for web applications, encompassing both technical and organizational measures. The goal is to ensure the confidentiality, integrity, and availability (CIA triad) of information. The standard takes into account various threat scenarios that web applications may be exposed to during operation and demands a proactive security approach.

A 7700-3 covers a broad spectrum of security-relevant topics, including:

1. Architecture:
   Basic security aspects in the application structure.
2. Data storage/Data transport:
   Protection of sensitive settings and parameters.
3. Authentication, Authorization and Session Handling:
   Secure user authentication and access control, implementation of 2FA.
4. Protection against specific attacks:
   Measures against session riding, click-jacking, path traversals, malicious file up/downloads, replay attacks, injections, data manipulation ...
5. Input and output handling:
   Secure handling of user inputs and data outputs (keyword XSS, SSTI, ...)
6. System and error messages:
   Control of information disclosure through messages.
7. Cryptography:
   Use of cryptographic methods to protect data.
8. Documentation:
   Requirements for documenting security-relevant aspects.
9. Logging:
   Recording of security-relevant events.

What requirements does ÖNORM A 7700-3 set for the secure operation of web applications?

ÖNORM A 7700-4 titled "Web Applications - Requirements for Secure Operation" establishes specific guidelines for the operational management of secure web applications.

1. Information Security Management System (ISMS):
   The standard initially requires the implementation of an ISMS. This forms the foundation for all other security measures and ensures a systematic approach to information security.
2. Adherence to the minimal principle:
   Operators must ensure that only necessary functions and services are activated to minimize the attack surface.
3. Management of software components:
   Processes must be established for the selection, updating, and security testing of all software components used. This includes regular updates and patches to close known vulnerabilities.
4. Configuration of components:
   All components of the web application must be securely configured. This includes deactivating unnecessary functions and adjusting default settings to minimize potential security risks.
5. Data handling:
   The standard places special emphasis on the secure handling of data, including the use of appropriate encryption methods for sensitive information both during transmission and storage.
6. Configuration of HTTP headers:
   Special attention is given to the correct configuration of HTTP headers, as these play an important role in defending against various types of attacks.
7. Logging:
   Comprehensive logging mechanisms must be implemented to capture and monitor security-relevant events. This enables early detection of security incidents and supports forensic analyses.

While the following points are not directly mentioned, they are implicitly implied by ÖNORM A7700:

1. Continuous monitoring and improvement:
   The ISMS and all security measures must be regularly reviewed and adapted to new threats.
2. Competence management:
   Operators must ensure that personnel have the necessary skills and knowledge to implement and monitor security requirements.
3. Incident Response:
   Processes should be established for rapid detection and response to security incidents.
4. Compliance:
   Compliance with relevant legal and industry-specific regulations must be ensured.

How does ÖNORM A7700 differ from other security standards?

ÖNORM A7700 distinguishes itself through its specific focus on web applications from other IT security standards, which often have a broader scope of application. In contrast to international standards such as ISO/IEC 27001, which set general requirements for information security management systems, ÖNORM A7700 focuses on the technical and organizational security requirements of web applications. This specialization makes it particularly relevant for developers, operators, and purchasers of web applications who need to ensure their systems meet the highest security standards.

ISO/IEC 27034 is certainly much more similar here - although still somewhat more general, as it deals with "application security" in general.

How do you check if you are ÖNORM A7700 compliant?

Organizational measures can be relatively easily processed via checklist. The technical measures should be processed somewhat more extensively. Security vulnerabilities can be covered through a penetration test for web applications. A good penetration tester can simultaneously check additional points, such as required headers, configurations, etc. Since the standard also requires logging and documentation, these should also be reviewed - this can also be done as part of an internal audit and/or source code review. The architecture of the application should also be checked - a penetration test is not a solution for this either. All requirements should be documented in order to then be able to work through them with the appropriate responsible person. Depending on the requirement, appropriate experts (penetration testers, developers, sysadmin, ...) should be consulted.