Reviewing the audit results
Let's return to our email and see how the audit is progressing. Uh-oh, the results don't look good:
APPLICATION AUDIT RESULTS
This application exhibits the following insecure behavior:
- Inadvertent privilege escalation due to lack of URL protection and general authentication
- Inappropriate or non-existent use of authorization
- Missing database credential security
- Personally-identifiable or sensitive information is easily accessible or unencrypted
- Insecure transport-level protection due to lack of SSL encryption
- Risk level is high
We recommend that this application should be taken offline until these issues can be resolved.
Ouch! This result looks bad for our company. We'd better work to resolve these issues as quickly as possible.
Third-party security specialists are often hired by companies (or their partners or customers) to audit the effectiveness of their software security, through a combination of white hat hacking, source code review, and formal or informal conversations with application developers and architects.
White hat hacking or ethical hacking is done by professionals who are hired to instruct companies on how to protect themselves better, rather than with the intent to be malicious.
Typically, the goal of security audits is to provide management or clients with the assurance that basic secure development practices have been followed, to ensure the integrity and safety of the customer's data and system functions. Depending on the industry the software is targeted at, the auditor may also test it using industry-specific standards or compliance metrics.
Two specific security standards that you're likely to run into at some point in your career are the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Privacy and Accountability Act (HIPAA) privacy rules. Both these standards are intended to ensure the safety of specific sensitive information (such as credit card and medical information) through a combination of process and software controls. Many other industries and countries have similar rules about sensitive or Personally Identifiable Information (PII). Failure to follow these standards is not only bad practice but also something that could expose you or your company to significant liability (not to mention bad press) in the event of a security breach.
Receiving the results of a security audit can be an eye-opening experience. Following through with the required software improvements can be the perfect opportunity for self-education and software improvement, and can allow you to implement practices and policies that lead to secure software.
Let's review the auditor's findings, and come up with a plan to address them in detail.