Your Compliance Auditor Needs Access – Choose Your Security Tools Wisely

SoftwareSecurityTools.png

 

Back in my info sec manager days, I had to take into consideration a lot of different factors when deciding if a particular product or service would fit into the organization's security strategy (usually cost, effectiveness, ease of implementation, ease of management, etc.). But one item that I learned early on to add to that list of factors was a bit unusual: my compliance auditor.

 

Oh wait, you mean "compliance," right? Nope, I'm talking about an individual person (though compliance was definitely a factor). Like a lot of security managers, I considered audits to be an inconvenience at best and pure torture at worst. So my main goal was to get that auditor in and out of my office as quickly as possible with the data he needed.

 

***Quick note: I fully recognize the value of audits when they are done correctly.

 

When I first started dealing with audits, I would generate and print the reports the auditor wanted. Invariably I would get a reply from the auditor saying he needed different data, or he needed another report, or he forgot to include some piece of data in his original request. The back and forth drove me mad because I was trying to get my daily job done. The more time I spent on getting the auditor the data he needed, the less time I was able to spend on actually securing the environment.

 

I knew there had to be a better way. So as I experimented with ways to make that happen, I soon discovered that the best way to get the auditor out of my hair - yes, I had hair back then - was to gather all data he might consider relevant to the audit, then I GAVE HIM ACCESS. Back in those days it was extremely difficult to perform such a feat (not that it is easy today, but it's definitely easier). I did what I could with the technology that was available (SIEM, log repositories, etc.), and I filled in what was left. He loved the access, and I got to keep working while he dug through the data. And that is why I started testing the process of reporting and granting access to the reports in security tools before I purchased them. And I always requested sample reports from contractors before I bought their services so that I could see how organized they were. Both of these were (and still are) very important factors in giving the auditor wheat he needed so I could keep working.

 

These days I find myself trying to help customers apply this concept to application security. If an auditor needs access to the security assessment report on your applications, running reports and then rerunning reports and then running them again is enough to make you want to poke your eyes out. This is especially true with application security because there are usually multiple teams involved in securing the apps. Development writes the app, the web security team scans the sites, the database group secures the data, the network team puts in the web application firewall, and on and on. Who is the one that gets the data to the auditor? Does the security team have to go gather each piece of evidence on the security of the applications? How hard is it to get each group to respond in time, or even at all?

 

This is why it is very important to consider ease of access to application security data when thinking about a tool or service to handle your application security testing. Does your tool allow multiple users with different levels of access? Or are your user licenses limited so that only one or two people can see test results? Can your auditor get into the tool and pull the reports she needs without needing to go back to you? Or does she need to request a new report multiple times until you get exactly what she is looking for? Can you sit the auditor down in front of a screen and walk away to get some work done? Or do you need to babysit the auditor through the whole process?

 

Multiple levels of access for unlimited users is one of the primary strengths of the Fortify on Demand portal. No matter if you are scanning a single app with a single scan or scanning 500 apps multiple times over a year, you can add as many users to the portal as you want with the access levels you need. When your auditor comes in and asks for a report, all you need to do is create a username, setup the appropriate access, and sit her down in front of the monitor and let her peruse the reports and data.  She gets the data she wants, and you get to go back to work. It's a win-win scenario.

 

portal-user-admin.png

 

To request a demo or find out more about Fortify on Demand, contact our security team.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.