How to conduct an Enterprise Application Risk Assessment

While encountering the task of assessing an Enterprise Application or solution a lot people immediately feel frightened at the thought of trying to understand how to suitably conduct their examination. As a security consultant goodwill is as important as work and how good suggestions turn out to be.

How to be sure to correctly assess a program to make sure to buy the safest solution for specific surroundings?

The first 3 steps are same as conducting a Risk Assessment. The following are the steps:

• UNDERSTAND YOUR GOALS/OBJECTIVE

The issue to resolve? Trying to make sure that company complies with a mandated government policy or trying to save client or employee information? This step is crucial as it will tell the tempo and scope of the assessment.

• Step 2

UNDERSTAND THE OBJECT AND VALUE OF WHAT YOU NEED TO PROTECT

what is the goal trying to save? Is the object sensitive, a place, a network, company goodwill or a mixture of all the above things? After recognizing the goal, understand the value of object. According to the complexity of the object trying to save, might have to conduct a full Business Impact Analysis. This will enable to accurately recognize the impact because of the loss of object. This step is also very important to assessment as it helps deciding how much to spend and what features the selected program should have.

• Step 3

UNDERSTAND YOUR BUSINESS AND INTERNAL INFRASTRUCTURE

It is vital to understand how company uses and accesses its data. If there are business transactions that allow important areas of the business, then these must be recognized to make sure a smooth transition to the new platform that is being assessed. Also understand the limits of current design and all the barriers that may exist to a proper installation and proper use of the desired program. To recognize these problems, it would be helpful to interview the individuals in the department that will be using the new program and add respective technical stakeholders that can speak to the complexities of current design.

• Step 4

UNDERSTAND THE APPLICATION

After having detailed understanding of objectives and the value of the object, business and design, can start the next process of understanding the presented program.

It is handy to understand the different parts and features of the program and start to separate and divide these features to understand potential risks of the program. All programs have basic parts that are replicated regardless of which program or platform is being used. For instance, all programs are designed on the basic premise of client, middleware and database server functionality.

A user will be presented with an interface that enables them to communicate and make requests. These requests are passed on to the middleware which then processes said request and makes required connections to a database to remove the data required. All of these features are "black box" to a typical user but all has a number of protocols, slots and logic to get it done.

As a security professional, your work will is to understand which protocols will be used, how the data will be transferred among these parts and the kind of security is applied to save the data while in transit. One way is to done to divide each of these parts in division like User Interface, Application Server and Database Server.

• Step 5

DISSECTING THE USER INTERFACE

One should understand the kind of user interface is offered by the program. Is it web based or client install? Understand if the program allows de-coupling of parts. Is it possible for the user interfaces to be divided from the rest of the program or does it bundling all the features in one package?

A user interface that can be divided enables granular security as the protocols that connect to the middleware can be cleaned and regulated before they communicate with the program logic. In the situation of changes and upgrades, a de-coupled program will also have less impact to the surroundings when separate modules can be upgraded as opposed to a bundled program.

Which protocols are used to communicate? Is the control encoded or users need to enter qualifications? How to connect to the middleware? Which ports must be opened in any firewalls that may be between parts? In which direction does network traffic related to user requests go? Will it require traversing any sensitive areas of the network? Is the information flow directed to the middleware encrypted or does it travel in the clear?

• Step 6

UNDERSTANDING THE APPLICATION LAYER

The program level is liable for handling receipt of user requirements, processing of these requests, calculations, connection to the database servers and presentation of requested information to the user from the user interface. The program logic also has services like authentication services, directory services and other features that should not be directly exposed to the Internet or public surroundings. When assessing a program, the security professional will want to deeply understand the procedure of this division and how the proposed solution handles the security of transactions offered by this level.

• Step 7

UNDERSTANDING THE DATABASE COMPONENT

This section of the program saves data and accepts connections from the program level to satisfy requests made by the user. This level is the most valuable and n vital part as it handles the storage of information that is manipulated by the program. This section of the program should never be exposed directly to the net or other public connections. As a security professional will want to understand the security that saves this level and whether or not it will be possible to divide this part. You will require understanding the protocols in use on this level and the security controls that control the information saved inside.

• Step 8

CORRELATING IDENTIFIED INFORMATION TO CORPORATE POLICIES

After recognizing all parts, understand the function and security is made available by all, you require to correlate these findings to particular policy mandates for specific industry.