http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/ By John Leyden 19th May 2005 Some UK corporates routinely ignore the findings of security audits treating them solely as a necessary step to satisfy corporate governance regulations, according to an experienced penetration tester. Tim Ecott, managing consultant at security integrator Integralis, explained that banks and other financial institutions are told they have to carry out a penetration test to comply with audits. In some cases - perhaps five per cent - Ecott and his team discover the same faults every time. "The findings of our reports are not followed up on either by the firms themselves or their auditors. We're not talking about critical security flaws but certainly about things that need fixing and leave firms open to attack," he said. "Some of our clients take our report to pieces and do every thing we advise but with others, it's the same things over and over again. Reports over a period of quarters could be copies of each other with just a different date," Ecott told El Reg. In some cases companies lack the resources to put things right; and often getting new applications up on running is given priority, leaving security concerns neglected, he said. "Firms need to think about security at the beginning of projects rather than as an afterthought. Security and business objectives need to be linked." ® _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri May 20 2005 - 04:33:23 PDT