This text is replaced by the Flash movie.

Application Audits, Database Audit

The ERE application audits and database audits to identify vulnerabilities caused by; insufficiently strong security architecture, weak coding and documentation practices, known vulnerabilities, and weak security between applications / databases / users.

The ERE methodology for an application and database is accompanied by an application risk assessment, with risks triaged by criticality and a pro-forma risk based ROI business case for justifying the auditors recommendations. Primary steps for our application audits include:

Remote and internal vulnerability application testing.
Review of systems development lifecycle process.
Review of policies, procedures, documentation and flowcharts.
Review access control lifecycle management.
Review of audit trail of changes / accesses, encryption during transmission, validation of transmitted / received data, and depth of tiers.
Review of problem and management tracking mechanisms, reporting.
Review of application change management, application testing lifecycle, code library, and audit trail of access / changes.
Review of BRP, DRP, back-up, offsite back-up storage, and record lifecycle.
Application testing for use of an IDE and database configuration.
Application testing of actual application code.
Application risk assessment with pro-forma application risk assessment based ROI business case.

Typical Vulnerabilities Identified in Application Audits

Sequel Injection.
Cross Site Scripting.
Lack of integration of security.
Too many tiers in multi-tier application architecture.
Weak lifecycle management of integrated development environments such as Python, PHP, Java, Perl, and .NET.
Weak policies and procedures.
Weak change management of source code.
Weak back-up of source code.
Weak prevention of source code being copied.
Weak admin privileges / access and updated patches for server application and server database platforms.

Typical Vulnerabilities Identified in Database Audits

Weak security of database Connections.
Weak protection of Access Control Table.
Restricting Database access.
Incorrectly configured database security parameters.
Lack of updated patches.
Lack of auditing known exploits.
Weak admin privileges / access and updated patches for server application and server database platforms