Questions tagged [audit]
For questions about the assessment of software, hardware, systems, people, processes, procedures, projects, etc, that are somehow related to the security of an organization or product. Often these are related to a certification the organization or product holds, or looking for tools or processes for performing an audit.
465 questions
0 votes
0 answers
13 views
Insights required on my naive aproach to audit Firefox extensions [closed]
I tried to search the web on existing projects, but after failed attempts, I decided to code something on my own way, one approach, open to comments and improvements: #!/usr/bin/env python3 import ...
- 101
0 votes
0 answers
15 views
Late 2025/2026 equivalent of ExtAnalysis to audit Firefox extensions? [closed]
I discovered ExtAnalysis, tried to run it in a Docker container, but this seems that this project is abandoned. There's too many errors. Some issues are opened since 2023 in the repository. So my ...
- 101
0 votes
1 answer
70 views
Managing Contractors with Soc 2 / HIPAA / HiTrust
It's common for companies seeking certification in advanced security environments to require all employees to work on company issued or managed equipment. It's also common to not allow data access to ...
- 113
10 votes
1 answer
1k views
Is the ISO27001 audit a paper exercise or do they ask to see specific controls?
We have our first ISO27001 audit coming up soon. We did a practice audit with our external ISO advisor and it was just a paper exercise, asking if we have different policies and then reading through ...
- 103
0 votes
1 answer
112 views
Is using software without buying all available patches against security standards?
Canonical, the publishers of Ubuntu, create their own set of security patches for packages in Ububtu's "universe" repository of community-maintained software. They make these patches ...
- 313
1 vote
0 answers
161 views
Given this secure setup, what are some effective attacks that still are possible?
My company is developing an open-source platform that would be hosted on may different servers, deployed in the cloud by many people, that run the "LAMP" stack or something similar. My goal ...
6 votes
2 answers
208 views
Can a nonconformity be raised against a control - for ISMS audit based on ISO 27001?
I read a LinkedIn article by Chris Hall (Post 1, Post 2), who states that Certification Auditors cannot and should not raise nonconformity against the controls and should only raise nonconformity ...
2 votes
0 answers
120 views
Evaluating Self-Hosted Web Applications
Background: There are a lot of self-hosted web applications these days, and often, more than one for the same purpose. In my case I am looking for a replacement for GitHub or other big tech/cloud git ...
0 votes
2 answers
336 views
Should mobile app developers actively prevent apps from running on outdated devices/rooted devices/emulators for security purposes?
From personal experience many mobile apps that I've tested don't actively detect and discourage (with a warning) or even block the app from running on/in: a rooted/jailbroken Android/iOS device ...
- 7,715
2 votes
0 answers
55 views
Is there a Opensource way to compliance audit Microsoft 365 Apps [closed]
I am looking for ways to value add to existing Office 365 Security & Compliance center which is available by default. Adding HIPPA compliant check but I don't wanna pay for the templates available ...
- 21
1 vote
0 answers
142 views
Log REST API calls in the most auditable way
I am working on a data processing task in an enterprise environment with Python3 installed on a client-side Windows Jump server. I need to download data regularly from a third-party provider, and it ...
- 11
0 votes
1 answer
199 views
Do I need to implement additional security measures for my self-hosted container web app?
Could you please suggest if I need to do anything else to ensure that my server is secure against the most common attacks? Currently it seems fine to me, but I would highly appreciate if someone with ...
1 vote
1 answer
196 views
Profiling and monitoring webserver execution over HTTP requests at the kernel level
I would like to know if there is a way to run an app to exhaustion in terms of all possible outcomes that it can provide. What do I mean by that: Let's assume that someone has an (Apache) HTTP Server. ...
- 111
0 votes
1 answer
199 views
ISO 27001: do we need audit access to the code of the core application
We want to be 27001 certified and our company is based on one core application that is hosted in our cloud infrastructure but provided by a vendor. Is there a situation where an auditor needs access ...
-1 votes
2 answers
338 views
Laptop Repair vs. Evil Maid
Suppose you need a laptop repair, so you bring it to A big box store where you have some sort of coverage (who will have the computer for 2-3 weeks) A small chain of repair shops a small independent ...
