Land mines, application audits: Is your audit scope correct?

Application vulnerabilities are like landmines: find them all or watch your step!

Doing an application audit is like looking for land mines. If you want to find all the land mines, you have to search every single square inch of real estate you want to ensure is mine-free. Otherwise, what’s the point of looking for them in the first place? Similarly for application audits, it’s necessary to audit the entire scope of applications in question, or there is no point in doing the exercise.

Application owners sometimes get confused when doing a follow-up audit after they have implemented all recommendations made in an original audit. Some owners think they can save money on a subsequent audit simply by having an auditor validate the mitigation recommendations were implemented correctly. Which is 100% correct. Unless the owner is actually concerned about new vulnerabilities, or land mines to continue with the analogy, that have been introduced into the environment since the last audit.

To put a fine point on this issue, it is possible two activities occurred within the same timeframe, which are:

• The remediation steps were implemented.

• New vulnerabilities or land mines were introduced.

This issue is obviously exacerbated in the case of web facing applications where the consequences of vulnerability can increase exponentially with access.

Calculating the Correct Audit Scope

The correct audit scope is one that has an appropriate return on investment. This is a decision usually made by the IT security steering committee or by an executive management committee. Since technical IT security details are not relevant to senior management, it is incumbent upon the security analyst to convey the ROI case for the audit cost in terms of cost and risk. Risk, risk appetite and ROI can be evaluated in terms of:

• Estimated costs to the corporation for each instance of a vulnerability being compromised.

• The estimated number of compromises that might occur in a year, depending upon the degree of IT security due diligence performed by the corporation.

• The appetite of the executives for accepting risk.

• The cost of an initial audit and of subsequent audits.

• The ratio of annual estimated total potential downside costs : annual audit costs

Parameters to Scope an Application Audit

Just like all aspects of IT security, which is most effective when deployed in complementary layers, application audits are also performed in complementary layers. These layers are mutually exclusive and one layer does not replace another layer. They are simply different ways to evaluate the security health of an application.

Some of the key layers of a web facing application audit are:

External vulnerability assessment

Core issues are authorization and authentication, susceptibility to failure by overloading with large traffic volumes, application owner’s security reporting on suspect activity, and existence of known vulnerabilities.

Code Review

The goals are to identify the existence of known vulnerabilities, weaknesses in coding architecture, and adequate documentation / commenting in order for an auditor have sufficient understanding of intended logic in order to review the security quality of the code.

Code Lifecycle Review

Identify Critical security flaws which are often found in areas of not incorporating security into the coding architecture, poor or non-existent code change management, and lack of separation of duties between writing code / testing code / handing production code.

Physical Security

Determine the degree to which unauthorized and untraceable access to code is possible, throughout all lifecycle aspects, including storage / transportation (including electronic) and destruction.

Metaphoric land mines abound!

Have a secure week. Ron Lepofsky CISSP, CISM, B.A.SC.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.