Questions tagged [audit]
For questions about the assessment of software, hardware, systems, people, processes, procedures, projects, etc, that are somehow related to the security of an organization or product. Often these are related to a certification the organization or product holds, or looking for tools or processes for performing an audit.
459
questions
306
votes
7
answers
45k
views
Is it normal for auditors to require all company passwords?
My company is currently engaged in a security audit framed as a pentest. They've requested all admin passwords for every one of our services and all source code of our software. They want logins for ...
- 2,191
135
votes
19
answers
52k
views
Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?
I work at a company with a staff of about 1000+. We currently have programming development staff that work on web based projects (approx 50 people).
Recently due to security concerns our IT and ...
- 1,339
86
votes
6
answers
20k
views
How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me? [duplicate]
I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm ...
- 711
50
votes
3
answers
73k
views
Simple example auditd configuration?
Auditd was recommended in an answer to Linux command logging?
The default install on Ubuntu seems to barely log anything. There are several examples that come with it (capp.rules, nispom.rules, stig....
- 20.9k
34
votes
1
answer
5k
views
Has malware ever been found in a package from a large Linux distribution and what is done to prevent this from occurring?
I am wondering exactly how safe are the Arch, Ubuntu, Mint and Manjaro repositories. What testing is done to ensure that a trusted user does not place a virus in a package, and how often?
- 829
33
votes
5
answers
51k
views
How to find out that a NIC is in promiscuous mode on a LAN?
How to find out that a NIC is in promiscuous mode on a LAN?
- 6,289
33
votes
6
answers
3k
views
Is C a good choice for security-related software any longer? [closed]
C is a rock-solid and widespread programming language that is very popular especially in the FOSS community.
Many security-related software (such as encryption libraries) are written in C and will ...
- 879
31
votes
4
answers
5k
views
Comply with data protection requirements without giving away too much?
I'm a contractor for a few companies. I build and host their systems on servers I rent from a popular international host. I store the system code on a popular, internationally hosted version control ...
- 1,151
30
votes
9
answers
10k
views
What should a security audit report include?
Background
I'm in charge of auditing a medium-scale web application. I have audited web applications several times before, but I've always written a short PDF quickly explaining what I encountered ...
- 44.2k
29
votes
6
answers
3k
views
How can security audits be integrated into an agile project?
If we give a security auditing company a working system, and ask them to audit it, and only do that once during a project because it's expensive, this is basically waterfall.
How can security ...
- 640
26
votes
7
answers
9k
views
Is the unauthorized deletion of data considered a breach of integrity or availability?
I am in the process of writing a security vulnerabilities report on an application used at my employer, having completed an application audit. One discovered vulnerability can lead to unauthorized ...
- 1,756
24
votes
7
answers
7k
views
What stops a developer from accessing credit card details and other secret data from a company
First of all, I'm sorry if this has been discussed many times. I read many posts about PCI compliance but there are some small things I'm not quite sure about.
Suppose there is Mr. GoodGuy, an ...
- 754
22
votes
5
answers
28k
views
How to simulate DDoS attacks from the Internet?
The idea behind security tests is easy. You want to know what a hacker can do - you hire a security expert who acts like a hacker to see how far he can get. You want to know what an evil admin can do -...
- 7,495
18
votes
6
answers
1k
views
What should I do when classified information stayed on a unauthorized laptop?
Has anyone ever had to deal with an unauthorized laptop accidentally getting Top Secret level data on it?
How did you quarantine the system. Were you required to turn in the entire laptop or were you ...
- 351
18
votes
3
answers
1k
views
Any comments or advice on OWASP-2013 top 10 number A9
In this iteration of the OWASP top 10 application security vulnerabilities list (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), a new category 'A9 Using Components with Known ...
- 1,844