Why do so many people buy into "checklist" audits?

Probably my biggest pet peeve related to application security is the claim by many (typically management) that “We know we’re secure, we just had an audit”. I can’t tell you how many times I’ve seen this situation. Management will require their administrators to go down some random checklist or run a basic vulnerability scan. Worse, they’ll have their internal auditor or a hired external auditor who’ll bring his/her own checklist in and magically, within a few hours, it appears that most things related to security on the Web site/application are safe and secure. Rather than going in-depth and finding the flaws that really matter, many people choose to barely scratch the surface. It’s information risk management at its worst.

This issue provides interesting insight into how we perceive risk. I’ve heard it said that the human brain cannot assess risk until the age of 25. I’m starting to think that age is a little higher. Case in point: we often see business leaders, auditors, and compliance officers claim their Web sites/applications are secure for this, that, and the other reasons. They’ll say things like:

• “We don’t process sensitive information on that application”
• “There’s no way our users would know how to exploit that flaw”
• “We use a firewall and SSL”
• “We’re PCI compliant”
• “We have a Web security seal that says we’re secure”

It’s entertaining yet amazing.

It could be argued that security audits and all the regulations affecting application security are as much of a threat as they are an enabler. I do know they quite often create a false sense of security – especially for the people who don’t understand the technical underpinnings of what we do. On top of that so many people have differing opinions on what needs to be done to please the auditors and regulators which I believe only serves to perpetuate the issue.

Regardless of your role in your organization, don’t go down this path and try to steer others away from it as much as you can. Go beyond the periodic “checklist audit”. Look past “compliance”. Instead develop a system of routine scans and manual analysis of your Web-based systems. Once you get the raw data, then you can determine risks based on the context/perspective of your unique business environment.

Share this post

Leave a Reply

Your email address will not be published.