Aplura Security Assessment: The Situation - Mid-Sized Application provider
Commercial Application Provider
-
Manages and maintains a web-based HR solution for US Federal entities
-
All software and data are hosted on Application Provider systems
Federal Guidelines
-
The Application provider as a commercial entity does not fall under Federal regulatory compliance requirements; however, their customers require similar standards.
-
The Application provider, in preparation for a new very large non-civilian federal customer needed to demonstrate an appropriate security posture with a small threat surface.
-
The solution must meet the following:
-
External evaluation for unnecessary access
-
Report discovered-flaws from Web Application evaluation
-
All system/application interrogation must be performed during specified maintenance windows to minimize operational impact.
-
The entire project was to be completed quickly to meet operational commitments the Application provider made to their new customer.
-
The Solution
-
Aplura’s consultants worked with the Application provider and their IT contractor who manages their data-center.
-
Aplura modified their Aplura Security Assessment (ASA) to customize it for this purpose.
-
The ASA was well suited for this work, since it covered the requirements and included a lot of additional value to the customer.
The Results
-
The customer was provided a report which highlighted met all of their requirements
-
Additionally, the report demonstrated additional considerations regarding unnecessary information disclosure found during the network services interrogation.