Security Assessment is such a general term that is often abused by the people to give false sense of security to the stakeholder. You may disagree with this statement and ask what do you mean “general” and “abuse”. Let’s talk about what exactly is “Security Assessment”.
First of all, we need to understand what is the risk exposure to an IT environment or a particular IT application. From security perspective, the risk exposure can be classified into the following categories:
-Business risk, such as IT governance, project management, business operations (client enrolment, de-registration, etc).
-Infrastructure risk, such as internet connectivity, intranet, networking devices, servers, operating system, storage, backup and recovery.
-Application risk, such as application vulnerabilities (SQL-injection, cross-site-scripting, re-play, man-in-the middle), application design flaws, application bugs, etc.
-Operational risk, such as system monitoring process, release management process, problem management process, incident handling process, backup and recovery process, user account management process, etc.
Specific type of security assessment, for example PenTest, if planned properly, will only be able to cover a portion of the risk profile. Please think about “if planned properly”, which leads to the second point.
There are many different types of Security Assessment:
– Penetration Testing
-Vulnerability scan (network, system and “application” interfaces)
-Application security scan (Operating system and application)
-Application security assessment (Operating system and application including application business logic)
-Security code review (application)
-Host security testing
-IT General Control (ITGC) audit
-IT security operations review
Each type of security assessment focuses on different IT components and discovers different vulnerabilities. Each security assessment project has its defined scope very likely constrained by the budget, time and resource, skills, etc. Planning is very important to define the proper scope and type of the assessment to cover the high risks.
Now I hope you will agree with the statement at the beginning of this article.