Educause Security Discussion mailing list archives
Re: Security Audit -- Application Layer
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Wed, 26 Jan 2011 08:22:08 -0500
The need for application level audits is real. Attackers don't go after the operating system so much anymore, largely because patching of the OS has "grown up". Applications on the other hand are often riddled with programming errors that make them easy to exploit with SQL injection, and other common techniques. Also, the application holds the data, which is often the target of the attack. To use an application audit to your advantage, you could perhaps use the findings to demonstrate the need to educate developers in secure programming techniques, or even to acquire some in-house app scanning tool that could be integrated with the SDLC. App Dev problems often repeat... so if you have an in-house team developing applications, it is likely that the same issues occur across multiple applications. Rather than testing all applications, you could start the audit with a 10% sampling of applications. If the same problems reoccur across the 10%, then you've likely demonstrated the most common problems and saved $$$ doing so. If the budget allows, it can also be interesting to test Commercial Off The Shelf software (starting with the highest risk applications). People often assume that COTS packages are secure, but often they are far from it (owing to marketing and the get-it-out-the-door factor). --hope this is helpful. Dan Jones ISO UMass Medical School From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Casey Sent: Wednesday, January 26, 2011 7:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Audit -- Application Layer In organizing a security audit RFP, it seems that any granular look at our ERP systems (i.e., looking at the security of each "page," instead of just the box upon which these apps live) would take the cost of this audit from "somewhat challenging to sell to our Cabinet" to "you've got to be kidding me." Just looking for a reality check: is an audit that doesn't look this deeply at the application layer only half an audit (or less), and is this element as expensive as I fear, or have I not spoken with enough firms? I would expect responses (hopefully) somewhere between, "Yes, you really need to do this and spend the money, or tell upper management that the job's only half done," and "While it would be nice, it is wicked expensive, so it's rare to go that deep; risks will remain if you don' t do this, but these should be minimal if you adequately mitigate issues at the other layers, and in other areas." Thanks for your time and opinons, Kevin __________________________________________ Kevin Casey Executive Director Information Resources Phone: (207) 941-7123 Fax: (207) 941-7988 caseyk () husson edu<mailto:caseyk () husson edu> Husson University www.husson.edu<http://www.husson.edu/>
Current thread:
- Fortinet WAF? Jason C. Belford (Jan 21)
- Security Audit -- Application Layer Kevin Casey (Jan 26)
- Re: Security Audit -- Application Layer Jones, Dan (Jan 26)
- Security Audit -- Application Layer Kevin Casey (Jan 26)