Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Your Compliance Auditor Needs Access – Choose Your Security Tools Wisely

MichaelFarnum ‎02-04-2014 07:24 AM - edited ‎07-21-2015 10:07 AM


Back in my info sec manager days, I had to take into consideration a lot of different factors when deciding if a particular product or service would fit into the organization's security strategy (usually cost, effectiveness, ease of implementation, ease of management, etc.). But one item that I learned early on to add to that list of factors was a bit unusual: my compliance auditor.


Oh wait, you mean "compliance," right? Nope, I'm talking about an individual person (though compliance was definitely a factor). Like a lot of security managers, I considered audits to be an inconvenience at best and pure torture at worst. So my main goal was to get that auditor in and out of my office as quickly as possible with the data he needed.


***Quick note: I fully recognize the value of audits when they are done correctly.


When I first started dealing with audits, I would generate and print the reports the auditor wanted. Invariably I would get a reply from the auditor saying he needed different data, or he needed another report, or he forgot to include some piece of data in his original request. The back and forth drove me mad because I was trying to get my daily job done. The more time I spent on getting the auditor the data he needed, the less time I was able to spend on actually securing the environment.


I knew there had to be a better way. So as I experimented with ways to make that happen, I soon discovered that the best way to get the auditor out of my hair - yes, I had hair back then - was to gather all data he might consider relevant to the audit, then I GAVE HIM ACCESS. Back in those days it was extremely difficult to perform such a feat (not that it is easy today, but it's definitely easier). I did what I could with the technology that was available (SIEM, log repositories, etc.), and I filled in what was left. He loved the access, and I got to keep working while he dug through the data. And that is why I started testing the process of reporting and granting access to the reports in security tools before I purchased them. And I always requested sample reports from contractors before I bought their services so that I could see how organized they were. Both of these were (and still are) very important factors in giving the auditor wheat he needed so I could keep working.


These days I find myself trying to help customers apply this concept to application security. If an auditor needs access to the security assessment report on your applications, running reports and then rerunning reports and then running them again is enough to make you want to poke your eyes out. This is especially true with application security because there are usually multiple teams involved in securing the apps. Development writes the app, the web security team scans the sites, the database group secures the data, the network team puts in the web application firewall, and on and on. Who is the one that gets the data to the auditor? Does the security team have to go gather each piece of evidence on the security of the applications? How hard is it to get each group to respond in time, or even at all?


This is why it is very important to consider ease of access to application security data when thinking about a tool or service to handle your application security testing. Does your tool allow multiple users with different levels of access? Or are your user licenses limited so that only one or two people can see test results? Can your auditor get into the tool and pull the reports she needs without needing to go back to you? Or does she need to request a new report multiple times until you get exactly what she is looking for? Can you sit the auditor down in front of a screen and walk away to get some work done? Or do you need to babysit the auditor through the whole process?


Multiple levels of access for unlimited users is one of the primary strengths of the Fortify on Demand portal. No matter if you are scanning a single app with a single scan or scanning 500 apps multiple times over a year, you can add as many users to the portal as you want with the access levels you need. When your auditor comes in and asks for a report, all you need to do is create a username, setup the appropriate access, and sit her down in front of the monitor and let her peruse the reports and data.  She gets the data she wants, and you get to go back to work. It's a win-win scenario.



To request a demo or find out more about Fortify on Demand, contact our security team.

0 Kudos
About the Author


US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all