IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [audit]

For questions about the assessment of software, hardware, systems, people, processes, procedures, projects, etc, that are somehow related to the security of an organization or product. Often these are related to a certification the organization or product holds, or looking for tools or processes for performing an audit.

446 questions
306
votes
7 answers

Is it normal for auditors to require all company passwords?

My company is currently engaged in a security audit framed as a pentest. They've requested all admin passwords for every one of our services and all source code of our software. They want logins for Google Apps, credit card processors, GitHub,…
Zachary Iles
  • 2,181
  • 2
  • 10
  • 9
134
votes
19 answers

Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?

I work at a company with a staff of about 1000+. We currently have programming development staff that work on web based projects (approx 50 people). Recently due to security concerns our IT and Security department implemented a restriction no…
TroySteven
  • 1,329
  • 2
  • 7
  • 11
87
votes
6 answers

How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?

I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm just stating what I personally use for the sake…
Paranoid Android
  • 711
  • 1
  • 4
  • 4
50
votes
3 answers

Simple example auditd configuration?

Auditd was recommended in an answer to Linux command logging? The default install on Ubuntu seems to barely log anything. There are several examples that come with it (capp.rules, nispom.rules, stig.rules) but it isn't clear what the performance…
nealmcb
  • 20,544
  • 6
  • 69
  • 116
33
votes
5 answers

How to find out that a NIC is in promiscuous mode on a LAN?

How to find out that a NIC is in promiscuous mode on a LAN?
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91
33
votes
1 answer

Has malware ever been found in a package from a large Linux distribution and what is done to prevent this from occurring?

I am wondering exactly how safe are the Arch, Ubuntu, Mint and Manjaro repositories. What testing is done to ensure that a trusted user does not place a virus in a package, and how often?
user
  • 817
  • 10
  • 16
33
votes
6 answers

Is C a good choice for security-related software any longer?

C is a rock-solid and widespread programming language that is very popular especially in the FOSS community. Many security-related software (such as encryption libraries) are written in C and will probably be written in C also in the future. One of…
Aliquis
  • 769
  • 1
  • 7
  • 12
31
votes
9 answers

What should a security audit report include?

Background I'm in charge of auditing a medium-scale web application. I have audited web applications several times before, but I've always written a short PDF quickly explaining what I encountered and usually I'm the one who's gonna be fixing those…
Adi
  • 43,808
  • 16
  • 135
  • 167
31
votes
4 answers

Comply with data protection requirements without giving away too much?

I'm a contractor for a few companies. I build and host their systems on servers I rent from a popular international host. I store the system code on a popular, internationally hosted version control system. There are a mix of authentication…
Oli
  • 1,121
  • 9
  • 13
29
votes
6 answers

How can security audits be integrated into an agile project?

If we give a security auditing company a working system, and ask them to audit it, and only do that once during a project because it's expensive, this is basically waterfall. How can security auditing be integrated into an agile project without…
Robin Green
  • 640
  • 6
  • 11
26
votes
7 answers

Is the unauthorized deletion of data considered a breach of integrity or availability?

I am in the process of writing a security vulnerabilities report on an application used at my employer, having completed an application audit. One discovered vulnerability can lead to unauthorized deletion / destruction of data. In the context of…
Anthony
  • 1,736
  • 1
  • 12
  • 22
23
votes
7 answers

What stops a developer from accessing credit card details and other secret data from a company

First of all, I'm sorry if this has been discussed many times. I read many posts about PCI compliance but there are some small things I'm not quite sure about. Suppose there is Mr. GoodGuy, an honest software developer. He develops the main…
AKS
  • 714
  • 5
  • 13
22
votes
5 answers

How to simulate DDoS attacks from the Internet?

The idea behind security tests is easy. You want to know what a hacker can do - you hire a security expert who acts like a hacker to see how far he can get. You want to know what an evil admin can do - your security experts gets admin privileges and…
Demento
  • 7,249
  • 5
  • 36
  • 45
18
votes
6 answers

What should I do when classified information stayed on a unauthorized laptop?

Has anyone ever had to deal with an unauthorized laptop accidentally getting Top Secret level data on it? How did you quarantine the system. Were you required to turn in the entire laptop or were you able to destroy/format the HDD? NISPOM says that…
Crash893
  • 351
  • 1
  • 10
18
votes
3 answers

Any comments or advice on OWASP-2013 top 10 number A9

In this iteration of the OWASP top 10 application security vulnerabilities list (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), a new category 'A9 Using Components with Known Vulnerabilities' has been introduced. This appears to…
David Scholefield
  • 1,824
  • 12
  • 21
1
2 3
29 30