ERE Information Security Auditors
Home | Site Map | Contact Us |  Resource Center
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Application Audits, Application Penetration Testing, and Database Security

ERE statement of work template

An ERE application security assessment identifies every single application vulnerability caused by; insufficiently strong security architecture, weak coding and documentation practices, known vulnerabilities, and weak security between applications / databases / users. Our application security assessment methodology scope covers both web application pen testing and non-web facing application pen testing.

Each application pen test is accompanied by an application risk assessment, with risks triaged by criticality and a pro-forma risk based ROI business case for justifying the IT security auditors recommendations. Primary steps for our application audits include:

  • A remote and internal application penetration test, performed by a certified CISSP application tester.
  • Review of systems development lifecycle process.
  • Review of security policy documents, security procedures documentation and flowcharts.
  • Review access control lifecycle management.
  • Review of audit trail of changes / accesses, encryption during transmission, validation of transmitted / received data, and depth of tiers.
  • Review of problem and management tracking mechanisms, reporting.
  • Review of application change management, application testing lifecycle, code library, and audit trail of access / changes.
  • Review of BRP, DRP, back-up, offsite back-up storage, and record lifecycle.
  • Application penetration testing for use of an IDE and database configuration.
  • Application vulnerability test of code.
  • Application risk assessment with pro-forma application risk assessment based ROI business case.

Typical Application Vulnerability Identified by Application Security Assessment

  • Sequel Injection.
  • Cross Site Scripting , a critical step for a web application pen test.
  • Lack of integration of security.
  • Too many tiers in multi-tier application architecture.
  • Weak lifecycle management of integrated development environments such as Python, PHP, Java, Perl, and .NET.
  • Weak policies and procedures.
  • Weak change management of source code.
  • Weak back-up of source code.
  • Weak prevention of source code being copied.
  • Weak admin privileges / access and updated patches for server application and server database platforms.

Typical Vulnerabilities Identified in Database Security Assessment

  • Weak security of database Connections.
  • Weak protection of Access Control Table.
  • Restricting Database access.
  • Incorrectly configured database security parameters.
  • Lack of updated patches.
  • Lack of auditing known exploits.
  • Weak admin privileges / access and updated patches for server application and server database platforms


Contact Us Right Up Front

Let us assist you to budget for your next audit. May we send you one of our sample application audits? Contact us and we'll help you scope the right sized audit for your organization.


Contact Us

905 764 3246

  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
  Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

ERE Documentation and Authorship Services
Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | |   | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button