Application Architecture Review

Application Architecture Review (AAR) is not simply a penetration test or a vulnerability scan. It focuses on the discovery of exploits and evaluates security design & implementation weaknesses using industry standard controls. We take a focused review of:

    • Information gathered from personnel.

    • Specific regulatory and corporate security requirements.

    • Best practices as appropriate.

    • Specific technology, system, and process controls.

6 Layer Approach

    • The security layers that we assess, from external to internal are: Accreditation Boundary, Perimeter, LAN, Host, Application, OS.

    • A vulnerability existing at one layer might be mitigated via protections existing within another layer.

    • Performed in areas of confidentiality, integrity, availability and defense in depth.

Our Methodology

System Identification

    • System Name

    • Application

    • System Category & System Sensitivity

    • Responsibility Matrix

    • General Description

    • System Interconnection, System Environment, Applicable Regulation & Policies

Risk Management Controls

    • Risk Assessment & Management

    • Review of security controls

    • System Planning: Initiation, Development, Implementation, Operation / Maintenance, Disposal

    • Rules of Behavior

Review Operation Controls

    • Personnel Controls

    • Physical / environment controls

    • Contingency Planning

    • Configuration Management

    • Data Integrity / Validation Controls

    • Documentation

    • Incident Response

    • Security Awareness and Training

Review Technical Control

    • Identification and Authentication

    • Logical Access & Controls

    • Audit Trails