Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27034-5 — Application Security — Part 5: Protocols and Application Security Control Data Structure
Data Formats, Communication Protocols, and API Specifications for Automated Application Security Management
ISO/IEC 27034-5 defines the protocols and application security control data structures that enable interoperability between different tools and systems involved in application security management. While Parts 1 through 3 focus on the conceptual, organizational, and process aspects of application security, Part 5 addresses the technical interoperability layer — the data formats, communication protocols, and API specifications that allow ASC information to be exchanged between development tools, security testing platforms, governance systems, and audit tools. This standard is essential for organizations seeking to automate their application security workflows and integrate security tooling into their DevOps pipelines.
ISO/IEC 27034-5 is the technical enabler for application security automation. If you want to automatically transfer ASC specifications from your governance system to your development tools and receive verification results back, this standard defines the data structures and protocols to make that happen.
Protocols and Data Structures for Application Security
ISO/IEC 27034-5 specifies the Application Security Control Data (ASCD) model: a structured data representation for ASC information that can be serialized, transmitted, and interpreted by different software systems. The ASCD model defines formal schemas for ASC specifications, including the security requirement, control description, implementation guidance, verification criteria, and verification evidence. These schemas are designed to be technology-neutral, supporting XML, JSON, and other serialization formats. The standard also defines the metadata that must accompany ASCD exchanges, including version identification, authorship, approval status, and effective date.
The standard specifies several protocol profiles for different use cases. The offline exchange profile supports batch transfer of ASC libraries between systems using file-based exchange (XML or JSON files). The real-time query profile enables on-demand retrieval of ASC specifications via RESTful API calls. The event-driven profile supports publish-subscribe patterns where ASC updates are pushed to subscribed systems when changes occur. Each profile includes detailed message formats, error handling procedures, and security considerations for the exchange itself, including authentication, integrity protection, and confidentiality requirements for ASC data in transit.
| Exchange Profile | Use Case | Protocol | Timing | Security Requirements |
|---|---|---|---|---|
| Offline Exchange | Bulk transfer of ASC library between air-gapped environments | File-based (XML/JSON) with digital signature | Periodic (daily/weekly) | Digital signature for integrity, encryption for confidentiality |
| Real-time Query | CI/CD pipeline requests ASC for a specific application | RESTful API over HTTPS | On-demand (per build/deploy) | Mutual TLS authentication, OAuth 2.0 authorization |
| Event-driven | ASC library update triggers re-verification of affected applications | Pub/Sub message queue with webhook | Event-triggered (real-time) | Message signing, replay protection, access control |
| Streaming | Continuous verification results from security testing tools | gRPC or WebSocket stream | Continuous (real-time) | End-to-end encryption, rate limiting, message ordering |
The Application Security Control Data Model
The ASCD model defines four primary data object types. The ASCSpecification object contains the complete specification of an ASC, including its identifier, version, description, applicable contexts, security requirements, control descriptions, and references to related organizational policies. The ASCVerificationPlan object defines the verification approach, including verification methods (review, analysis, testing), tools to be used, acceptance criteria, and responsible roles. The ASCVerificationResult object captures the outcome of verification activities, including pass/fail status, evidence references, findings descriptions, and remediation recommendations. The ASCDeploymentContext object describes the specific application and environment to which the ASC applies, enabling traceability between ASC specifications and their deployed instances.
The standard defines a comprehensive set of attributes for each data object. For example, the ASCSpecification includes mandatory attributes such as ascID (globally unique identifier), versionNumber, status (draft, approved, deprecated), effectiveDate, expiryDate, relatedOASC (for A-ASCs that trace back to an O-ASC), and securityControls (a structured list of controls with implementation guidance). Optional attributes include applicableFrameworks (e.g., NIST CSF, OWASP ASVS), regulatoryReferences, and threatModelReferences. This rich data model enables sophisticated querying and analysis of the ASC portfolio across an organization.
The ASCD model enables powerful automation scenarios. For example, when a new vulnerability class is discovered, the O-ASC library can be updated with a new control, and the event-driven profile automatically notifies all affected applications, triggers re-verification workflows, and generates compliance reports — all without manual intervention.
Implementing the ASCD model requires upfront investment in tool integration but pays dividends as the application portfolio grows. Organizations managing more than 50 applications report that the automation enabled by ISO/IEC 27034-5 reduces the per-application security management overhead by 70-80% compared to manual processes.
Interoperability and Automation in Security Toolchains
From an engineering implementation perspective, ISO/IEC 27034-5 provides the blueprint for building an integrated application security toolchain. The standard recognizes that modern development environments use a diverse set of tools — static analysis (SAST), dynamic analysis (DAST), software composition analysis (SCA), container scanning, infrastructure-as-code security, and runtime protection — and that effective application security management requires these tools to work together. The ASCD model provides a common language that enables different tools to share security requirements and verification results.
The standard also addresses the automation of ASC verification within CI/CD pipelines. It defines how ASCVerificationPlan objects can be translated into pipeline stage definitions, how ASCVerificationResult objects can be consumed by pipeline orchestration tools to make release decisions, and how ASCDeploymentContext objects can be updated automatically when applications are deployed to different environments. This level of integration transforms application security from a manual review process into an automated quality gate within the software delivery lifecycle. The standard provides specific guidance for integrating with common CI/CD platforms, including Jenkins, GitLab CI, GitHub Actions, and Azure DevOps.
A critical security consideration when implementing ASCD exchanges is protecting the integrity and confidentiality of ASC data. An attacker who can modify ASC specifications could weaken security requirements without detection. ISO/IEC 27034-5 requires digital signatures for ASCD objects and recommends using Hardware Security Modules (HSMs) for key management in high-security environments. Never transmit ASC data over unauthenticated channels or accept unsigned ASC specifications from untrusted sources.
Q1: Do I need to implement all four exchange profiles?
A: No. Most organizations start with the real-time query profile for CI/CD integration and add other profiles as needed. The offline exchange profile is primarily useful for organizations with air-gapped environments or when exchanging ASCs with external partners. Start simple and expand based on your automation requirements.
A: No. Most organizations start with the real-time query profile for CI/CD integration and add other profiles as needed. The offline exchange profile is primarily useful for organizations with air-gapped environments or when exchanging ASCs with external partners. Start simple and expand based on your automation requirements.
Q2: Is ISO/IEC 27034-5 compatible with OpenSSF Scorecard or SLSA?
A: The ASCD model is designed to be extensible. You can map ASC specifications to OpenSSF Scorecard checks and SLSA attestations. The protocol profiles defined in Part 5 support the transport of these external framework mappings as extensions to the core ASCD objects.
A: The ASCD model is designed to be extensible. You can map ASC specifications to OpenSSF Scorecard checks and SLSA attestations. The protocol profiles defined in Part 5 support the transport of these external framework mappings as extensions to the core ASCD objects.
Q3: What serialization format should I use?
A: The standard supports both XML and JSON. JSON is recommended for RESTful API integrations and web-based tools, while XML is preferred in environments with established XML Schema validation tooling. The standard also provides guidance for Protocol Buffers (protobuf) serialization for high-performance streaming scenarios.
A: The standard supports both XML and JSON. JSON is recommended for RESTful API integrations and web-based tools, while XML is preferred in environments with established XML Schema validation tooling. The standard also provides guidance for Protocol Buffers (protobuf) serialization for high-performance streaming scenarios.
Q4: How do I handle versioning of ASC specifications in automated exchanges?
A: Each ASCSpecification includes a versionNumber and a changeHistory attribute. Automated consumers should check the versionNumber when receiving ASC updates and process them in version order. Breaking changes should use a new ascID with a supersedes reference to the old ASC. The standard recommends semantic versioning (major.minor.patch) for ASC specifications.
A: Each ASCSpecification includes a versionNumber and a changeHistory attribute. Automated consumers should check the versionNumber when receiving ASC updates and process them in version order. Breaking changes should use a new ascID with a supersedes reference to the old ASC. The standard recommends semantic versioning (major.minor.patch) for ASC specifications.
