Security Basics mailing list archives
Re: Recommendation for a comprehensive security audit
From: Vic Vandal <vvandal () well com>
Date: Tue, 17 Jul 2012 07:46:29 -0700 (PDT)
I can't speak specifically for Andre or his company, but there are many cases where development environments are very logically in-scope for security audits. The BITS-FISAP audit standards require a security review of the pre-production environment. The SAS-70 audit brings pre-production environments in scope in various cases. Specifically the SAS-70 Type II audit brings into scope the "design, development and change cycles for hardware and software systems". http://www.sas70.us.com/industries/saas-and-sas70.php Real-world case example: The organization I work for has large financial organizations as customers. The larger ones send their own security auditors out to vendors who receive their customer's data. Amongst many standard questions they want to know what the vendors are doing to address potential code vulnerabilities in the development phase of the SDLC (software development life cycle). Stuff like; What is the process flow in the organization's SDLC? Where are system/application security requirements being addressed within the SDLC? What are the organization's guidelines for architecting secure applications? What are the published development guidelines for addressing the security requirements around; authentication, authorization, input validation, exception management, session management, encryption of data and secrets in transit and in storage, auditing/logging, etc, etc, etc.? What are the source code and version control procedures to verify code integrity? Are the developers being trained in secure coding practices? Are source code reviews being performed to catch security issues before they hit QA or production? What tools or methodologies are being used to test for coding issues? Is production data ever introduced into the development environment? If so, is it sanitized/obfuscated beforehand? What is the process for authorizing those data copies? What is the process for auditing the development environment for production data, and/or validating that the obfuscation has been performed in each case? What is the process for moving code up the chain from development to QA/staging and then production? Are there adequate separation of duties and access controls in that process? And so on, and so on, and so on. Because the organization I work for also contracts services from other vendors and we provide them our customer data, sometimes we have to do the same types of audits of those vendors, which may include a review of their pre-production environment based on various circumstances. Lets go back to Andre's situation though, and pretend his company is offering my company some service or software for processing online payments. I'd want to know the answers to many of the sample questions above (which were all typed off-the-cuff). I'd be super-interested in knowing how Andre's company's service and software addresses payment-message integrity, to be assured that the payments my organization received matched those being submitted. And that comes into system design first - pre-production. Regards, Vic ----- Original Message ----- From: "Thugzclub" <thugzclub () googlemail com> To: "Security" <security () ignorable com> Cc: security-basics () securityfocus com Sent: Thursday, July 12, 2012 3:39:41 PM Subject: Re: Recommendation for a comprehensive security audit Why is your preproduction environment is scope? It does not appear to be in scope at all. Regards. On 10 Jul 2012, at 15:56, Security <security () ignorable com> wrote:
Hello all, We are an online payments solution provider start-up in the UK and are about to roll out our first web application, using fairly standard technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth. What we are looking for is a comprehensive security audit encompassing our production as well as development and office environments, not just from a technical perspective but also in regards to physical security. This also needs to include compliance testing for PCI, FSA and possibly others. Can someone recommend any companies for this, or alternatively a forum with reviews of such companies? Many thanks in advance, Andre
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Recommendation for a comprehensive security audit Security (Jul 10)
- RE: Recommendation for a comprehensive security audit Ben Ten (Jul 10)
- Re: Recommendation for a comprehensive security audit Vic Vandal (Jul 10)
- RE: Recommendation for a comprehensive security audit Dave Kleiman (Jul 11)
- Re: Recommendation for a comprehensive security audit Thugzclub (Jul 16)
- Re: Recommendation for a comprehensive security audit Vic Vandal (Jul 17)