Re: Recommendation for a comprehensive security audit

[Vic Vandal <vvandal () well com>]

I can't speak specifically for Andre or his company, but there are many cases where development environments are very 
logically in-scope for security audits.  

The BITS-FISAP audit standards require a security review of the pre-production environment.  

The SAS-70 audit brings pre-production environments in scope in various cases.  Specifically the SAS-70 Type II audit 
brings into scope the "design, development and change cycles for hardware and software systems".
http://www.sas70.us.com/industries/saas-and-sas70.php


Real-world case example:
The organization I work for has large financial organizations as customers.  The larger ones send their own security 
auditors out to vendors who receive their customer's data.  Amongst many standard questions they want to know what the 
vendors are doing to address potential code vulnerabilities in the development phase of the SDLC (software development 
life cycle).  Stuff like;

What is the process flow in the organization's SDLC?  Where are system/application security requirements being 
addressed within the SDLC?

What are the organization's guidelines for architecting secure applications?  

What are the published development guidelines for addressing the security requirements around; authentication, 
authorization, input validation, exception management, session management, encryption of data and secrets in transit 
and in storage, auditing/logging, etc, etc, etc.?

What are the source code and version control procedures to verify code integrity?

Are the developers being trained in secure coding practices?  

Are source code reviews being performed to catch security issues before they hit QA or production?  What tools or 
methodologies are being used to test for coding issues?

Is production data ever introduced into the development environment?  If so, is it sanitized/obfuscated beforehand?  
What is the process for authorizing those data copies?  What is the process for auditing the development environment 
for production data, and/or validating that the obfuscation has been performed in each case?

What is the process for moving code up the chain from development to QA/staging and then production?  Are there 
adequate separation of duties and access controls in that process?

And so on, and so on, and so on.  

Because the organization I work for also contracts services from other vendors and we provide them our customer data, 
sometimes we have to do the same types of audits of those vendors, which may include a review of their pre-production 
environment based on various circumstances.  Lets go back to Andre's situation though, and pretend his company is 
offering my company some service or software for processing online payments.  I'd want to know the answers to many of 
the sample questions above (which were all typed off-the-cuff).  I'd be super-interested in knowing how Andre's 
company's service and software addresses payment-message integrity, to be assured that the payments my organization 
received matched those being submitted.  And that comes into system design first - pre-production.

Regards,
Vic


----- Original Message -----
From: "Thugzclub" <thugzclub () googlemail com>
To: "Security" <security () ignorable com>
Cc: security-basics () securityfocus com
Sent: Thursday, July 12, 2012 3:39:41 PM
Subject: Re: Recommendation for a comprehensive security audit

Why is your preproduction environment is scope? It does not appear to be in scope at all.

Regards.



On 10 Jul 2012, at 15:56, Security <security () ignorable com> wrote:

> Hello all,
>
> We are an online payments solution provider start-up in the UK and are about to roll out our first web application, 
> using fairly standard technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth.
>
> What we are looking for is a comprehensive security audit encompassing our production as well as development and 
> office environments, not just from a technical perspective but also in regards to physical security. This also needs 
> to include compliance testing for PCI, FSA and possibly others.
>
> Can someone recommend any companies for this, or alternatively a forum with reviews of such companies?
>
>
> Many thanks in advance,
>
> Andre

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------