 |
Auditing of security controls in the CBS and retail products |
|
Audit of SDLC, involving numerous customizations, which takes place at the bank (process audit). The key parameters to be checked for were:
|
- Is the 'software requirement specification' available?
- Is it version-controlled?
- Test plan / test strategy
- Sufficiency of test cases
- Regression test plan
- Release management
|
|
Application administrative practices
|
- How servers are updated
- User manuals review
- Sufficiency of user-training materials
- Application installation procedures
|
|
Validation of the application's security controls against the corporate security policy procedure.
|
| Team selection |
 |
The team members were selected on the following basis:
|
| |
- Exposure to SDLC models and practices
- Prior application security expertise
- Software testing experience
- Process audit experience
|
| The procedure |
|
Our first step was to develop a questionnaire relating to a lot of core-area subjects. The questionnaire was based on the application architecture study done by the audit team. Using the questionnaire, multiple rounds of discussions were conducted with various administrators and application owners. One of the major objectives of a discussion of this sort is to perform an architecture analysis.
Next came the document review. The audit team reviewed all the documents pertaining to the functionality and the architecture of the application. Unfortunately, in the case of custom applications, no standard exists, which meant that our team had to come up with a best-practices document. Once the best practices document was ready, a validation of the application documents (with respect to the best-practices document) was done. A sufficiency test was conducted on the documents to validate whether the requirements specified during the design phase had been met
Then came the real test: a black-box examination under certain conditions to see how secure interface was also conducted to check whether the application was susceptible to any known web vulnerabilities.
|
| |
| Our value to our customer |
|
| |
-
A best-practices document to safeguard the application in that specific environment.
- A report with list of weakness in the software.
- Details of inadequacy of process and procedures.
- Recommendations to patch up the discovered vulnerabilities.
|
| |
| Our future prospects with the customer |
|
Some of the areas where we can value add to the customer in the future would be: |
| |
- Process development for SDLC, etc
- Future audits
- Application service provider giving testing of the application to us
|
