Security Basics mailing list archives

Re: Security requirments

From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 13 Jun 2011 14:27:21 -0500

<michele.maturo () quotium com> writes:

Hi Guys,

We are implementin our security perimeter with little knowledge. We
would like to know which commercial tools would be good to cover the
elements below:

Establish Security Controls
*             
*             Activate specialized Application Security tools (i.e SAP
GRC)
*             Daily Monitor (checking Application log reports)
*             Alert and advice corrective actions
*             Periodical Compliance Check

I'd be curious who wrote the requirements that you quote. Was this
from a consulting company? Auditor? Penetration test? Application
test? If so, which one? I don't envy your position!

If this was the output of some sort of audit or assessment, I would go
back to the company who wrote this strategic advice and demand that
they give you an answer to this question you've asked (because their
report is awful if it just lists these vague bullet points). If they
don't give you an answer, tell us all who they are so we can shame and
avoid them (or at least the practitioner who wrote the report). :-)

I'll do my best to decipher what's been handed to you though.

GRC tools are Governance, Risk Management, and Compliance tools. That
the first bullet mentions a GRC tool as an example of an Application
Security tool concerns me, as appsec and GRC are not the same thing.
Output from an enterprise application scanning tool may find its way
into a GRC tool somehow via a connector, but to have them mentioned
like they've been mentioned above makes me wonder who wrote this list.
SAP does have GRC tools as mentioned in the bullet but Archer from RSA
is another one I hear often mentioned. There are a lot of facets to
GRC. If you're interested in Application Security specific GRC, then
something like HP's AMP (Application management platform) comes to
mind which takes info gleaned from assessments and automated
WebInspect scans and other sources of data and give you an enterprise
view. None of it is cheap.

The Daily Monitor bullet is attempting to tell you that logfile review
is important, and that there should be someone or some group in your
organization responsible for watching these. Arcsight Logger,
Splunk, Log Rhythm. Google "log management"

"Alert and advice corrective actions" doesn't even make grammatical
sense. My best guess is that they're suggesting some method of
tracking remediations for identified risks. GRC tools would do this,
I suppose, but you'd have to ask the person that wrote this what they
meant. Maybe in the context of an application assessment, this speaks
to a bug database? It's hard to guess.

And a "periodical compliance check"... assuming it's not a tool to
manage magazine subscriptions (pardon that sarcastic humor), probably
intends to suggests either the use of a Compliance tool of some sort,
or, if this is coming from auditors, it's a bullet point to remind you
to "have us back here in a year so we can write you more vague and
confusing recommendations." If it's a tool they're suggesting, what
compliance tool would make sense would be specific to your compliance
audit drivers (PCI for folks dealing wtih credit card info, for
instance), the size of your business/budget, the country the business
is in, and what you need to measure for your compliance drivers.

And one thing you probably also need to let your managers know is that
tools won't bring security. Without ramping up the knowledge first,
you will invariably end up with a hodge podge of rather expensive
tools that won't get implemented fully or effectively, managed by
people who don't fully understand why the tools are there, and what
they can tell you. As such, some effort in bridging the knowledge gap
would be well advised before jumping into buying a bunch of tools to
implement basic controls.

I'm sure others will chime in if you can fill in some details as to
where and how these recommendations ended up on your to-do list!

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Malicious PHP site(s)? Sean G (Jun 08)
- Message not available
  - Malicious PHP site(s)? Attila Sukosd (Jun 09)
- RE: Malicious PHP site(s)? Sacks, Cailan C (Jun 09)
  - Re: Malicious PHP site(s)? Andy Peters (Jun 10)
  - Re: Malicious PHP site(s)? gold flake (Jun 12)
    - Security requirments michele.maturo (Jun 13)
    - Re: Security requirments Todd Haverkos (Jun 13)
- Re: Malicious PHP site(s)? Wilhelm Wijkander (Jun 10)
- Re: Malicious PHP site(s)? černý klobouk (Jun 12)