Application Security Assessment

Backbone Consultants application security assessment service helps your organization ensure the applications supporting your key business processes are properly managed. Whether it is your general ledger, human resources, payroll or other critical application; our technical consultants understand the importance of ensuring the security, confidentiality, integrity and availability of the information. Our in-depth security assessment will deliver actionable advice that your application administrator, data owner and other stakeholders can take to optimize the security configurations and processes supporting the application being evaluated.

With extensive experience in partnering with large and small organizations alike, Backbone has deep technical expertise assessing software solutions of all sizes, from common off-the-shelf solutions to large custom enterprise wide applications. By using industry standard frameworks including ISO 27001/2, COBIT and NIST, Backbone leverages widely accepted control baselines as a foundation of our review. The following approach considerations and review areas are included in our application security assessment strategy:

Right-Sized Risk Assessment: Backbone’s scoping approach ensures we deliver the right depth of assessment needed by your organization. Some factors that are considered during our scoping process include: data classification, number of system users, whether the application is internet or customer-facing, regulations, and compliance requirements. Having an assessment that is customized to your environment can reduce expenses and can focus on the areas within your organization that pose the greatest inherent risk.

Layered Security Design: Backbone will evaluate existing and emerging threats that could impact the functioning of your application and supporting environment. By focusing on a defense-in-depth approach to security, multiple layers of controls can be established to work together and provide the appropriate depth of security based on the value of the data. The existing security design as well as administrative processes will be reviewed in accordance with industry leading frameworks and standards. Considerations of the supporting application infrastructure, including but not limited to: servers, databases, operating systems, and network devices, will be taken.

User Access Management: Backbone will partner with the application owner to understand the current user provisioning and periodic access review processes. Whether provisioning is automated or processed manually, we will assess the supporting access request, approval, and fulfillment processes. If role based access control (RBAC) has been implemented for authorization, our consultants will review the separate permission levels within the application. In cases where your application has had federation or single sign-on (SSO) configured for authentication, we will review the security of your default directory services.

Segregation of Duties (SOD): Backbone’s analysis will include a review of inter-application role permissions to determine if any functions within an application provide a conflict or allow for fraudulent activity. An evaluation of other applications that may have conflicting functionality can be performed to identify and avoid pairing of access amongst applications. In cases where it is necessary to have conflicting duties assigned to a user, an exception rule can be created, assigned, and closely monitored.

Proactive Monitoring: Backbone will review tools, processes, and system logs to ensure adequate monitoring of critical components and activities is being performed. A mature monitoring process will not only facilitate the ability to quickly detect issues, but can also be tied into your company’s comprehensive risk management strategy. Having the ability to react quickly to issues or detect suspicious behavior within your application and supporting infrastructure can reduce exposure and minimize remediation costs.

Backbone’s application security assessment services can deliver the expertise your company needs in addressing security and compliance related issues before they lead to service interruptions, data integrity issues or data leakage which could result in brand damage, legal fines, and financial losses. By partnering with our team of Certified Information System Security Professionals (CISSP), Backbone can help your company gain the assurance needed that your business’s key applications are secure and resilient.