mailing list archives
Re: Recommendation for a comprehensive security audit
From: Vic Vandal <vvandal () well com>
Date: Tue, 17 Jul 2012 07:46:29 -0700 (PDT)
I can't speak specifically for Andre or his company, but there are many cases where development environments are very
logically in-scope for security audits.
The BITS-FISAP audit standards require a security review of the pre-production environment.
The SAS-70 audit brings pre-production environments in scope in various cases. Specifically the SAS-70 Type II audit
brings into scope the "design, development and change cycles for hardware and software systems".
Real-world case example:
The organization I work for has large financial organizations as customers. The larger ones send their own security
auditors out to vendors who receive their customer's data. Amongst many standard questions they want to know what the
vendors are doing to address potential code vulnerabilities in the development phase of the SDLC (software development
life cycle). Stuff like;
What is the process flow in the organization's SDLC? Where are system/application security requirements being
addressed within the SDLC?
What are the organization's guidelines for architecting secure applications?
What are the published development guidelines for addressing the security requirements around; authentication,
authorization, input validation, exception management, session management, encryption of data and secrets in transit
and in storage, auditing/logging, etc, etc, etc.?
What are the source code and version control procedures to verify code integrity?
Are the developers being trained in secure coding practices?
Are source code reviews being performed to catch security issues before they hit QA or production? What tools or
methodologies are being used to test for coding issues?
Is production data ever introduced into the development environment? If so, is it sanitized/obfuscated beforehand?
What is the process for authorizing those data copies? What is the process for auditing the development environment
for production data, and/or validating that the obfuscation has been performed in each case?
What is the process for moving code up the chain from development to QA/staging and then production? Are there
adequate separation of duties and access controls in that process?
And so on, and so on, and so on.
Because the organization I work for also contracts services from other vendors and we provide them our customer data,
sometimes we have to do the same types of audits of those vendors, which may include a review of their pre-production
environment based on various circumstances. Lets go back to Andre's situation though, and pretend his company is
offering my company some service or software for processing online payments. I'd want to know the answers to many of
the sample questions above (which were all typed off-the-cuff). I'd be super-interested in knowing how Andre's
company's service and software addresses payment-message integrity, to be assured that the payments my organization
received matched those being submitted. And that comes into system design first - pre-production.
----- Original Message -----
From: "Thugzclub" <thugzclub () googlemail com>
To: "Security" <security () ignorable com>
Cc: security-basics () securityfocus com
Sent: Thursday, July 12, 2012 3:39:41 PM
Subject: Re: Recommendation for a comprehensive security audit
Why is your preproduction environment is scope? It does not appear to be in scope at all.
On 10 Jul 2012, at 15:56, Security <security () ignorable com> wrote:
We are an online payments solution provider start-up in the UK and are about to roll out our first web application,
using fairly standard technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth.
What we are looking for is a comprehensive security audit encompassing our production as well as development and
office environments, not just from a technical perspective but also in regards to physical security. This also needs
to include compliance testing for PCI, FSA and possibly others.
Can someone recommend any companies for this, or alternatively a forum with reviews of such companies?
Many thanks in advance,
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.