Re: Security Audit -- Application Layer

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

The need for application level audits is real. Attackers don't go after the operating system so much anymore, largely 
because patching of the OS has "grown up".

Applications on the other hand are often riddled with programming errors that make them easy to exploit with SQL 
injection, and other common techniques. Also, the application holds the data, which is often the target of the attack.

To use an application audit to your advantage, you could perhaps use the findings to demonstrate the need to educate 
developers in secure programming techniques, or even to acquire some in-house app scanning tool that could be 
integrated with the SDLC.

App Dev problems often repeat... so if you have an in-house team developing applications, it is likely that the same 
issues occur across multiple applications. Rather than testing all applications, you could start the audit with a 10% 
sampling of applications. If the same problems reoccur across the 10%, then you've likely demonstrated the most common 
problems and saved $$$ doing so.

If the budget allows, it can also be interesting to test Commercial Off The Shelf software (starting with the highest 
risk applications). People often assume that COTS packages are secure, but often they are far from it (owing to 
marketing and the get-it-out-the-door factor).

--hope this is helpful.

Dan Jones
ISO
UMass Medical School

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Casey
Sent: Wednesday, January 26, 2011 7:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security Audit -- Application Layer

In organizing a security audit RFP, it seems that any granular look at our ERP systems  (i.e., looking at the security 
of each "page," instead of just the box upon which these apps live) would take the cost of this audit from "somewhat 
challenging to sell to our Cabinet" to "you've got to be kidding me."

Just looking for a reality check: is an audit that doesn't look this deeply at the application layer only half an audit 
(or less), and is this element as expensive as I fear, or have I not spoken with enough firms?

I would expect responses (hopefully) somewhere between, "Yes, you really need to do this and spend the money, or tell 
upper management that the job's only half done," and "While it would be nice, it is wicked expensive,  so it's rare to 
go that deep; risks will remain if you don' t do this, but these should be minimal if you adequately mitigate issues at 
the other layers, and in other areas."


Thanks for your time and opinons,

Kevin

__________________________________________
Kevin Casey
Executive Director
Information Resources
Phone:  (207) 941-7123
Fax:  (207) 941-7988
caseyk () husson edu<mailto:caseyk () husson edu>




 Husson University

 www.husson.edu<http://www.husson.edu/>