Vulnerability audit

To whom do we recommend the software security audits?

  • To the IT risks management (eg. CISO) who is responsible for the prevention and mitigation of the operational risks related to the applications which implement business processes.
  • To the management responsible and accountable for GDPR compliance, as the protection of personal data in a great part depends on proper software security.
  • To the project units of the production or provisioning of software: the development teams or the business units who use the software.
  • The internal security teams. If there are no internal skills to do vulnerability assessments. And even if there are such skill and internal practice as external pentesters are usually better qualified and have broader experience.

Why is it useful?

  • Modern software is too complex to be safe, while those involved in the software production tend to focus on delivery of the functionality in time.
  • Even software produced with security in mind and security testing built into the CI/CD should be controlled before going into production. Each major version should be tested.
  • The diagnosis of security issues is to be done early, as the earlier an issue is detected the easier it can be fixed and the easier is to improve all the implications of the architecture related issues.
  • It is useful to rotate the security audit teams as the nature of the vulnerabilities and weaknesses is such that different teams find/omit different issues.

What do we do?

  • Software engineers have positive mind-set, they are focused on the desired functionality and its best implementation. Meanwhile hackers have security mindset which is inclined to discover the ways of how to misuse and abuse things [see B. Schneier]. Security auditors help engineers, management and users to view their assets from the aspect of possible weaknesses.
  • Besides having the disposition and skills to discover security problems we are experienced in how enterprise software development works, we speak developers' lingo and bridge the gap between security and development.
  • Our auditors are practitioners with authority and have years of experience in enterprise software production: such as security testers who are good at coding or senior developers who learnt security testing and S-SDLC, methodology of secure production.

Your personal contact:

Ferenc Smohay

Economist, CISA, Member of IIA Hungary, head of the Risk & Compliance division of ABT Treuhand Group

Send message