Questions tagged [audit]
For questions about the assessment of software, hardware, systems, people, processes, procedures, projects, etc, that are somehow related to the security of an organization or product. Often these are related to a certification the organization or product holds, or looking for tools or processes for performing an audit.
459
questions
4
votes
1
answer
165
views
Need help collating resources for an information/cyber security audit document for an MSP
I am currently serving out an internship with a small MSP (4 employees, 50-100 clients with between a couple and 100 employees).
My main project is to work on a information/cyber security audit ...
1
vote
1
answer
140
views
Monitoring User (developer) interaction
I'm looking for a "tamper proof" way, if there is such a thing, to monitor what a developer/engineer does on a given system.
To expand a bit more about this, we have several systems that run ...
2
votes
1
answer
694
views
Getting numerous HEAD requests by Java user agents to resources that require authentication to view within a web application. Should I block them?
I have recently started using Cloudflare's firewall in front of a web application. This app has a limited user base of selected applicants and they must log in to view anything. There is no public ...
0
votes
2
answers
237
views
Difference between Web App Pentesting and Web App Security Audit
I'm having a hard time drawing the line between Web App pentesting vs a Web App Security Audit.
For instance, OWASP Testing Guide could be used for both of those cases.
Let's say the pentester and ...
0
votes
1
answer
161
views
IT security audit : is threat modelling key to reproducible success of just following a methodology (ex : ethical hacking)
To sum up the methodology of ethical hacking, what you do is :
Information gathering (gets the IP, domains, etc...)
Fingerprint the IP (what OS, what services are running, etc...)
Vulnerability ...
0
votes
1
answer
139
views
How can Linux service installation page create an attack surface?
Based on one of the lectures of Planning, Auditing and Maintaining Enterprise system course by Greg Williams (Department of computer science university of Colorado):
Let's say they were installing ...
5
votes
1
answer
2k
views
Is it insecure to expose private bucket names through signed URL?
AWS provides signed url to objects in bucket.On backend we can connect with AWS and create such signed urls and send to front-endJust discussing this one use case where we use that signed url to make ...
0
votes
0
answers
183
views
Is attribute-based encryption safe for production use?
I'm very interested in attribute-based encryption (ABE). I see various working examples online, and I want to know, has it been verified as production-ready? What does it mean to have a security audit,...
0
votes
0
answers
157
views
How to Ask for More Transparency from Companies Handling Our Personal Data
A company's asked me to submit a scan of my passport claiming KYC (Know Your Customer) and AML (Anti-money Laundering) purposes. In times of daily data breaches, what can we ask for a company to be ...
1
vote
0
answers
164
views
saving entire Windows event log for auditing & preserve digital evidence
As an admin one gets tasked with configuring [Microsoft Windows 10] computers so that auditing is enabled and captures all events as required by some list that's already defined and handed down.
...
86
votes
6
answers
20k
views
How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me? [duplicate]
I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm ...
0
votes
3
answers
342
views
Providing password review results to auditors
The IT Security department is getting audited and the auditor had approached our IT Security team and requests to see results of the password review process, which compares existing database of ...
3
votes
1
answer
323
views
When a closed-source company hires somebody to audit their code, is the auditor forced to do it in the company's office?
Let's say that ACME, Inc. is making closed-source software. It's closed for a reason (they don't want it leaving their building other than in compiled form). Now, they are hiring some company/person ...
4
votes
3
answers
493
views
How do we cross-verify if the device is doing exactly what it is supposed to do?
How do we know any device is doing what it is supposed to do? For example, Android is an open-source OS (ignore google libraries for now) and they do claim that all passwords will only be stored on ...
0
votes
0
answers
132
views
Sony Access Log (Playstation Network) does not exists
Yesterday my wife receive some emails from Sony confirming her purchases on Playstation Network. The only problem is: she was with my side watching Netflix on the smart Tv.
The purchased items is a ...