Aplura Security Assessment: The Situation – Mid-Sized Application provider
Commercial Application Provider
- Manages and maintains a web-based HR solution for US Federal entities
- All software and data are hosted on Application Provider systems
Federal Guidelines
- The Application provider as a commercial entity does not fall under Federal regulatory compliance requirements; however, their customers require similar standards.
- The Application provider, in preparation for a new very large non-civilian federal customer needed to demonstrate an appropriate security posture with a small threat surface.
- The solution must meet the following:
- External evaluation for unnecessary access
- Report discovered-flaws from Web Application evaluation
- All system/application interrogation must be performed during specified maintenance windows to minimize operational impact.
- The entire project was to be completed quickly to meet operational commitments the Application provider made to their new customer.
The Solution
- Aplura’s consultants worked with the Application provider and their IT contractor who manages their data-center.
- Aplura modified their Aplura Security Assessment (ASA) to customize it for this purpose.
- The ASA was well suited for this work, since it covered the requirements and included a lot of additional value to the customer.
The Results
- The customer was provided a report which highlighted met all of their requirements
- Additionally, the report demonstrated additional considerations regarding unnecessary information disclosure found during the network services interrogation.