Home page logo

basics logo Security Basics mailing list archives

Re: Recommendation for a comprehensive security audit
From: Vic Vandal <vvandal () well com>
Date: Tue, 10 Jul 2012 13:43:28 -0700 (PDT)


I don't endorse any audit firm because there are too many out there to do so fairly, and I don't work for an audit firm.
Being that you're handling payments, then perhaps the BITS FISAP (Financial Industry Shared Assessment Program) audit 
process will meet your needs.  It is internationally developed and administered.  Here are just a couple of reference 
links and you can certainly search for others.



That type of audit is not cheap (~$100K US for mid-size companies, using reputable audit firms).  You could also have 
your company audited using SSAE-16 models (SOC-1/2/3).  
The price tag will be about the same though.  The BITS audit may be advantageous in that it goes deeper into physical 
security, development environments, etc., which seem to be important to you.  But the SSAE-16 model may be advantageous 
because it comes with an audit firm's opinion, whereas the BITS report only gives testing results with no opinion on 
the overall security posture.  One size does not fit all.

An ISO 27001 / 27002 audit may be desirable.  This list is sorely lacking, but has some audit firms in the UK who 
provide that service.


Being that you're with a start-up firm that may not have deep pockets, you could always have your Internet-facing 
architecture scanned using PCI and other standard web vulnerability tests.  That is relatively inexpensive.  Then you 
could bolt on other audits (physical security, policies and procedures, internal vulnerability and risk management, 
business continuity, change control, network security, etc.) as time and budget allows.  
Here is a list of Approved Scanning Vendors of that type.


I'm familiar with a few of those vendors, but again I don't want to endorse any firm.  I will say that sometimes you 
get what you pay for.  I've seen at least one of those report a number of false-positives on a recurring basis.  Their 
price tag is cheap, but if I have to go behind each report and re-test everything myself only to find and prove that 
the findings are inaccurate and those vulnerabilities don't exist, then the value of the service certainly diminishes.  
Food for thought.


----- Original Message -----
From: "Security" <security () ignorable com>
To: security-basics () securityfocus com
Sent: Tuesday, July 10, 2012 10:56:00 AM
Subject: Recommendation for a comprehensive security audit

Hello all,

We are an online payments solution provider start-up in the UK and are 
about to roll out our first web application, using fairly standard 
technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth.

What we are looking for is a comprehensive security audit encompassing 
our production as well as development and office environments, not just 
from a technical perspective but also in regards to physical security. 
This also needs to include compliance testing for PCI, FSA and possibly 

Can someone recommend any companies for this, or alternatively a forum 
with reviews of such companies?

Many thanks in advance,


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]