AppSecInc will roll out canned best policies for its database-auditing and intrusion detection software on Monday at InfoSec World. The latest additions to AppSecIncs current roster of best practices will cover the Sarbanes-Oxley Act and FISMA, the Federal Information Security Management Act.
SarbOx requires accountability for the integrity of financial reporting by executives, auditors, securities analysts and legal counsel.
FISMA is a framework for ensuring information security for federal information and assets, and mandates that all government agencies report their overall security health to the Office of Management and Budget, which in turn reports to Congress.
At the heart of all this accountability resides the database, with its wealth of detailed, sensitive information about financial transactions, customer names, patient files, and social security and credit card information.
Ted Julian, vice president of marketing for the New York firm, said the new templates came about after customers complained of trying to ground regulatory compliance within their databases and within their infrastructures.
As it is now, Julian said, companies track transactions in a laborious and high-level manner. “For example, in the case of SarbOx, theyll say, Joe and Steve are responsible for handling those transactions on the balance sheet,” Julian said.
Organizations are trying to make that process more granular and repeatable, Julian said. Application Security Inc. is aiming to enable that approach with tools that allow companies to run tests on databases or applications at any time, thus enabling enterprises to hand over to auditors a clean bill of health for their databases when necessary, he said.
Both the FISMA and SarbOx policies for AppDetective—the companys application-level vulnerability assessment scanner—consist of a Pen Test policy and an Audit policy. The Pen Test policy tests security strength from an external perspective to ensure confidentiality, integrity and availability by determining susceptibility to privilege escalation, password attacks and other known vulnerabilities.
The Audit policy gauges vulnerability to insider threats by testing for privilege escalation. The tests span all application components and include checks for misconfigurations, as well as for strong access and identification/password controls.
The best-practices policy template for AppDetective will be available for free download on Monday. Policies for AppRadar—a real-time database intrusion detection and security-auditing tool—will be available later in the month.