Security Basics mailing list archives
Re: Security requirments
From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 13 Jun 2011 14:27:21 -0500
<michele.maturo () quotium com> writes:
Hi Guys, We are implementin our security perimeter with little knowledge. We would like to know which commercial tools would be good to cover the elements below: Establish Security Controls * * Activate specialized Application Security tools (i.e SAP GRC) * Daily Monitor (checking Application log reports) * Alert and advice corrective actions * Periodical Compliance Check
I'd be curious who wrote the requirements that you quote. Was this from a consulting company? Auditor? Penetration test? Application test? If so, which one? I don't envy your position! If this was the output of some sort of audit or assessment, I would go back to the company who wrote this strategic advice and demand that they give you an answer to this question you've asked (because their report is awful if it just lists these vague bullet points). If they don't give you an answer, tell us all who they are so we can shame and avoid them (or at least the practitioner who wrote the report). :-) I'll do my best to decipher what's been handed to you though. GRC tools are Governance, Risk Management, and Compliance tools. That the first bullet mentions a GRC tool as an example of an Application Security tool concerns me, as appsec and GRC are not the same thing. Output from an enterprise application scanning tool may find its way into a GRC tool somehow via a connector, but to have them mentioned like they've been mentioned above makes me wonder who wrote this list. SAP does have GRC tools as mentioned in the bullet but Archer from RSA is another one I hear often mentioned. There are a lot of facets to GRC. If you're interested in Application Security specific GRC, then something like HP's AMP (Application management platform) comes to mind which takes info gleaned from assessments and automated WebInspect scans and other sources of data and give you an enterprise view. None of it is cheap. The Daily Monitor bullet is attempting to tell you that logfile review is important, and that there should be someone or some group in your organization responsible for watching these. Arcsight Logger, Splunk, Log Rhythm. Google "log management" "Alert and advice corrective actions" doesn't even make grammatical sense. My best guess is that they're suggesting some method of tracking remediations for identified risks. GRC tools would do this, I suppose, but you'd have to ask the person that wrote this what they meant. Maybe in the context of an application assessment, this speaks to a bug database? It's hard to guess. And a "periodical compliance check"... assuming it's not a tool to manage magazine subscriptions (pardon that sarcastic humor), probably intends to suggests either the use of a Compliance tool of some sort, or, if this is coming from auditors, it's a bullet point to remind you to "have us back here in a year so we can write you more vague and confusing recommendations." If it's a tool they're suggesting, what compliance tool would make sense would be specific to your compliance audit drivers (PCI for folks dealing wtih credit card info, for instance), the size of your business/budget, the country the business is in, and what you need to measure for your compliance drivers. And one thing you probably also need to let your managers know is that tools won't bring security. Without ramping up the knowledge first, you will invariably end up with a hodge podge of rather expensive tools that won't get implemented fully or effectively, managed by people who don't fully understand why the tools are there, and what they can tell you. As such, some effort in bridging the knowledge gap would be well advised before jumping into buying a bunch of tools to implement basic controls. I'm sure others will chime in if you can fill in some details as to where and how these recommendations ended up on your to-do list! Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Malicious PHP site(s)? Sean G (Jun 08)
- Message not available
- Malicious PHP site(s)? Attila Sukosd (Jun 09)
- Message not available
- RE: Malicious PHP site(s)? Sacks, Cailan C (Jun 09)
- Re: Malicious PHP site(s)? Andy Peters (Jun 10)
- Re: Malicious PHP site(s)? gold flake (Jun 12)
- Security requirments michele.maturo (Jun 13)
- Re: Security requirments Todd Haverkos (Jun 13)