Security audits of services and applications
In the contemporary world the issue of network security is becoming more and more essential, particularly in the context of inevitable (still too slow, however) computerization of the country. For instance, e-services like a digital signature or the possibility of establishing a company via the Internet strictly require assuring an appropriate level of security and confidentiality for personal data of the citizens.
Security audits are performed in order to increase the security level of applications and services that are already working or are just going to be introduced. They may be defined as a review and assessment of security policy of computer infrastructure implemented within the given entity (that, for instance, hosts a service). The security audits results not only make it possible to eliminate existing threats and vulnerabilities, but also allow to work out suitable rules and procedures for the future. The area of security audits is covered by 2 MIC tasks, directed towards self-government entities and commercial enterprises (with special respect to SME's).
Security audits for self-government entities are expected mainly to cover applications and solutions implemented using the .NET platform. The audits will include a detailed analysis of design assumptions as well as of the application source code. It is expected that the audits will result in increasing quality and security of the application source code and strengthening the image of the .NET platform as an environment for creating secure applications.
Referring to audits for enterprises, particular emphasis will be placed on services that are offered via Microsoft solutions (e.g. applications on demand). The audits will concentrate on verifying deployment correctness and efficiency of security measures applied within the enterprise. The expected final effect is to increase an overall security level of offered services.
In the initial period of MIC activity the necessary procedures were prepared and the set of audit tools was analyzed. In cooperation with Microsoft Corporation an initial list of entities was covered by the audit program. Appropriate organizational procedures were worked out as well and preliminary arrangements were finally carried out between MIC and the representatives of entities undergoing the audit program.
- This year it is planned to perform several pilot security audits for arranged entities belonging to both defined target groups (self-government entities and SMEs). However, within the limit of available resources it is possible to extend the security audits program onto additional entities or enterprises. It is also proposed to \ perform periodic security audits for chosen entities (which will help both to maintain an appropriate security level over a long period of time and to verify the effect of the initial audit). Security audits are offered free of charge. The audits will be performed by experienced specialists of Poznan Supercomputing and Networking Center Security Team.
- PSNC Security Team is also planning to carry out a security audit of several Microsoft Corporation operating system solutions, namely Public Key Infrastructure (PKI) components available under Microsoft Windows OS, as well as Internet Information Server 7.0.
To obtain more information on the free-of-charge security audits, please inform either a contact person or PSNC Security Team.
Advantages:
- The audited self-government entities and enterprises will be able to detect and eliminate security flaws of their computer network infrastructure - free of charge,
- Awareness of computer security issues will be developed amongst the audited organizations
- Discovered vulnerabilities will help to prepare a set of "good practices" that are essential for deploying up-to-date and attack-proof technologies and solutions,
- Secured services and applications will increase the trust level of the final users to new technologies.
