 |
| About the author |
| Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments. |
|
|
|
|
A lack of access/credentials is often a major showstopper -- it's hard to assess something that you can't get to! Allow appropriate padding to the schedule to ensure that customer credential/account provisioning systems/processes work. If the assessment is full-knowledge, make sure the consultants have access to any documentation, personnel and/or training that may be required. For example, a white-box line-of-business application assessment should begin with a review of software design and specification documentation, plus any necessary training on accessing software source code and bug-tracking repositories. Without these items, the assessment team can sit idle while the customer gets little value -- all due to a simple lack of preparation.
Another necessity of preparation is to ensure that permissions have been granted to assess all of the elements within scope. It never hurts to re-clarify with the customer if there are any doubts, particularly around partner/third-party systems that may be of unclear ownership. This issue commonly arises in outsourced data center hosting arrangements, where many organizations are hosted near each other by a common provider(s), and access to the customer potentially crosses third-party-owned infrastructure. Be sure that the assessment techniques being employed are well-understood by all parties, so as to avoid unnecessary risks of downtime or policy violations to unrelated systems.
Return to the security site assessment FAQ guide and read the rest of Joel's expert answers.
