Applications are the top most layer in the IS infrastructure and is the information processing unit. All other parts of the infrastructure including networks and operating systems are enablers for the application.

The first step towards securing an application would be to identify the weak points in the application and its underlying infrastructure. Such an exercise would help in focusing the efforts of the security exercise and strengthen the application.

An approach for application security audit
System study

The team of consultants must interact with the key personnel in the customer organization including the Top Management, Business Owners, IS team and users of the application to understand the existing business workflow and application architecture.

The information gathered is documented in the form of Application Study Report, which is submitted to the project owner from customer side for review.

Application audit
As part of the Application audit, various applications are studied and the various aspects addressed are Access Control, Data Integrity, Cryptographic Controls and Data storage.

The different aspects considered under each of these depend on the nature of the application, i.e. on whether its for intranet, e-commerce, client-server and host-centric applications.

These aspects are studied and recommendations are made taking into consideration best business and application practices and controls.

Data storage audit
The database connected to the application is also studied as part of the application audit. Database audit is carried out to assess the following:

• Authentication Policies
• Authorization Parameters
• System Integrity
• Host audit

An application is only as secure as the host on which it resides. The host is scanned using commercial or enhanced open source tools to identify the vulnerabilities. Activities as part of the host audit are:

• Port based attack on the host
• Operating system penetration testing
• Service and data pilferage checks

Process review

The existing processes followed for the development, maintenance, support, operations and disaster recovery are reviewed and compared to the security best practices and BS 7799/ ISO 17799. A list of process improvement steps will be recommended.

Policy gap analysis

The existing security policies and controls implemented in the Application and Infrastructure are compared with Standards such as BS 7799/ ISO 17799. A report detailing the gap between the existing and the selected standard is provided along with recommendations to rectify the gaps.

What can the customer expect?

After the audit of the Applications, Database, the underlying infrastructure, business processes and IS practices the following will be provided to the customer:

• Application Study Document
• Application Audit Report
• Database Audit Report
• Host Audit Report
• Gap Analysis and Recommendation Report

Benefits to the customer

• Identify the various components in the application and the role they play in the functioning of the organization
• Expose vulnerabilities existing on the application
• Assess the current state of application security
• Assess the impact on business, in case any of the security gaps/weak points present are exploited
• Prioritize and focus various efforts in securing the infrastructure
• Identify the deviation of the current situation from the standards that the organization has set and/or the ideal scenario