|
Security Audits
Security audits can be categorized in terms of the
object investigated, the focus and the methodology applied.
Conceptual/organizational security audits
Conceptual/organizational security audits normally use a checklist-based
approach, with security vulnerabilities and loopholes being identified
using a combination of interviews, examination of documentation,
workshops and gap analyses. Conceptual/organizational
security audits in line with IT GSHB or ISO/IEC 27001/17799
fall into this category.
Technical security audits
Technical security audits use specialized programs such as port
and security scanners, test malware and debuggers. Because there
are different, and sometimes misleading, designations for technical
security audits, we use the following terminology (for further
information, click on the test name in the chart):
Our experts offer security audits for individual applications
or systems (as a complement to the application
security audit) as well as wired (e.g. Internet, DMZ and LAN/WAN)
and wireless networks (e.g. WLAN, Bluetooth, GPRS and infrared).
We recommend combining
the strengths of the various test types in order to optimize
the cost/benefit ratio. OneConsult is ISECOM Licensed Auditor (ILA), Gold Level and ISECOM Partner (Accredited Trainer), guaranteeing that the tests will be thorough and professional and that documentation of the results will be informative and comprehensive.
|
|
|
|
|
| Detection of security vulnerabilities |
Fully automated |
Fully automated |
Automated & manual |
Automated & manual |
| Use of multiple tools with similar functionality |
No |
No |
Yes |
Yes |
| Manual verification of apparent security vulnerabilities |
No |
Yes |
Yes |
Yes |
| Exploitation of security vulnerabilities |
No |
No |
Yes |
Yes |
| Modification of test object |
No |
No |
No |
Yes |
| Approach |
Direct |
Direct |
Direct |
Direct & indirect |
| Type of measures recommended |
Technical |
Technical |
Technical & organizational |
Technical & organizational |
An application
security audit tests an application (e.g. a sector solution
or multi-tier application at various levels (e.g. design, documentation
and technology: operating system, database and the actual application)).
The exact scope of the technical and/or conceptual test elements
and the test depth will depend on the parameters stipulated by the
client.
Further useful information on technical security
audits can be found here.
If you're interested in OneConsult and you'd like
a no-obligation consultation or more information, please contact
us.
Further information
|
