? Security Auditing – Definition and Explanations


L’security audit is a snapshot view of an information system (IS). T It allows to compare the status of all or part of the IS with the benchmark.

The strengths of the audit, especially the weaknesses (weaknesses), are listed everything (The whole, understood as the whole of what exists, is often interpreted as the world or…) or part of a system. The auditor also formulates a series of recommendations to eliminate the identified weaknesses. An audit is usually carried out in conjunction with a risk analysis and in relation to a reference system. A warehouse generally consists of:

  • information system security policy (PSSI)
  • Information base of IS
  • company specific rules
  • legal texts
  • security reference documents computer science (IT is the contraction of information and auto is the domain…)

Why a security audit?

Deming wheel (The Deming wheel is an illustration of the PDCA (Plan Do Check Act) quality method, its name is…)

An audit can be carried out for various purposes:

  • react to the attack
  • Get a good idea of ​​the security level of the IS
  • Check the effective implementation of PSSI
  • test new equipment
  • assess security evolution (implies periodic audit)

Either way, it sets a goal check it out Safety. In a security loop, a check occurs after an action is executed. For example, when building a new component in an IS, it is a good idea to test the security of the component after integrating it into a system. environment (Environment is everything that surrounds us. All natural elements and…) test and before its implementation. The wheel (A wheel is a circular organ or mechanical part that rotates around an axis…) Deming’s work illustrates this principle.

The result is an audit report. It contains a complete list of vulnerabilities identified by the auditor in the analyzed system. It also contains a list of recommendations for remediation of discovered vulnerabilities.

Audit should not be confused with risk analysis. He doesn’t allow it that finding vulnerabilities but not determining whether they are tolerable. Conversely, risk analysis allows us to say what risk is considered or accepted for the IS. Therefore, the auditor (service provider) formulates recommendations that the auditee (client) will or will not follow. the customer (The word customer has several meanings 🙂 will determine whether to follow the recommendations by referring to the security policy.

Audit tools


  • COBIT (The CobiT repository (Control Objectives for Information and Related Technologies) is one way…) (Control objectives for information and technology ISACA): proposes a reference system for information systems,
  • CELAR: Electronic Weapons Center responsible for auditing Ministry of Defense organizations,
  • The National Agency for the Security of Information Systems (ANSSI) refers in France issue (Matter is the substance that makes up any body that has material reality. Its…) It was developed by the SSI and in particular developed a general safety reference system (standards and recommendations).

audit experience

Various practices exist and are traditionally performed to develop the most comprehensive list of system vulnerabilities possible.


Interviews are generally essential to any audit. caseorganization (It is an organization) ID is analyzed, they are even important. All persons involved in IS security should be interviewed:

  • Information Systems Director (ISI)
  • Information Systems Security Person(s) (RSSI)
  • Administrators
  • Users of the information system, regardless of whether they have a role in the company’s production, management, or simple use of IT resources.
  • Any other security related role

It is important to frame the questions politely. Indeed, asking people about their work can make them feel judged and results can be skewed. Diplomacy is therefore an essential skill for auditing practice!

Penetration test

Leak testing is a technical auditing practice. Penetration testing can be divided into three main categories: testing white boxtests gray box and so-called tests Black box.

Checking Black box means that the person conducting the test is under conditions real intervention: the test is performed externally and the auditor has minimal information about the information system. So this type of test starts with defining the target:

  • Collection of public information: web pages, employee information, company with a trust relationship with the target.
  • Defining points of availability Internet (The Internet is a global computer network that provides services to the public…).
  • Listening network (A computer network is a set of devices connected to each other to exchange information…).

When conducting tests gray box, the auditor has some information about the system being audited. It is generally provided with a user account. This allows him to position himself skin (Skin is an organ made up of several layers of tissue. It, among other things,…) “normal user”.

Tests white box Get started with all this information (and more) available. Then get to work research (Scientific research is primarily… search for open ports, software version, etc. vulnerabilities using various technical tests such as

The last one phase (The word phase can have several meanings, it is used in several fields and…) exploits weaknesses. Adverse effects may occur (e.g., denial of service), which is not a practical aspect of this phase systematic (In the life sciences and natural history, systematics is the science for…). It consists in determining the means to be implemented to break the system using the discovered vulnerabilities. Depending on the means to be applied, the client can decide on the risk weakness (Weaknesses of the organization or field in risk management…) found to be insignificant (less likely to be exploited) or vice versa should be considered. To prove exploitability, auditors create programs that exploit the vulnerability.

Configuration statements

Here we are talking about an in-depth analysis of the components of the information system. Configurations are checked in detail. Following this observation (Observation is the act of carefully watching events without the will to see them…)A list of vulnerabilities is generated by comparing the statement against a set of configurations and known vulnerabilities that are considered valid.

everything can be checkedarchitecture (Architecture can be defined as the art of constructing buildings.) From IS to applications, incl the owners of the house (The Hostess is a science fiction short story by Isaac Asimov,…) (clients and servers). For example, we will analyze on a server:

  • loader,
  • mechanismsidentification (For authentication computer system…) (power of passwords, usagestrong authentication (Strong authentication in information systems security…)…),
  • the file system (File system (file system or file system in English) or management system…) (access, usage rights encryption (In cryptography, encryption (sometimes incorrectly called encryption) is the process of…)…),
  • Services
  • the entry (Journalism is the act of recording in a journal…),
  • network configuration,

Code audit

There are very reliable vulnerability databases for popular applications. However, it may be necessary to analyze the security of applications that are less commonly used or coded by the company itself. If the application has sources, you need to read and understand source code (Source code (or sources or even source) is a set of instructions written in a . . . language.), to detect any problems that may exist. Specifically, buffer overflows, format errors, or a Web application (In computing, a web application (called a dynamic website or WebApp) is a…)Vulnerabilities that lead to SQL injections…

Code auditing is a very tedious and time consuming experience. Moreover, it generally does not allow, due to complexity (Complexity is a concept used in philosophy, epistemology (for…), to compile a complete list of code vulnerabilities. Automatic methods exist and allow to cut Work with tools like RATS. But only relying on such methods can make us to pass (The Passer breed was created by the French zoologist Mathurin Jacques…) next to the bright problems for man.


For programs Black box, where code does not exist, there is the other side of code analysis, which is indeterminate. This technique involves analyzing the behavior of an application by injecting it as input data (In information technology (IT), data is an elementary description, often…) more or less randomly, with values restrictions. Unlike code auditing, which is a structural analysis, fuzzing is a behavioral analysis of an application.

Leave a Reply

Your email address will not be published. Required fields are marked *