Computerworld - During the past few months, my firm has been in the process of implementing PeopleSoft for managing corporate payroll, benefits and other human resources functions. As part of the project, management asked the information security department to conduct a comprehensive audit and penetration test against the infrastructure.
That makes sense, since the data that some of the systems will contain is sensitive in nature. We're implementing the version of Pleasanton, Calif.-based PeopleSoft Inc.'s application that includes a Web-based front end that talks to several other systems. The problem with a Web-based front end, however, is that it gives anyone with a Web browser potential access to the application.
The systems are configured in a three-tiered architecture consisting of front-end Web servers, midtier application servers and back-end databases that house our critical data. This includes employee compensation information, health care data and personal information such as employee Social Security numbers, dates of birth and dependent information.
I've never before audited or conducted penetration testing of a PeopleSoft deployment. To me, however, the purpose of the application is irrelevant. The process, methodology and mind-set are still the same. The main questions that needed to be answered included the following:
• Can someone on the public Internet gain unauthorized access to the PeopleSoft infrastructure?
• Can someone with legitimate access exceed their authorization and gain access to information he shouldn't be able to view?
• Can someone on our internal network without any level of authorization gain access to the infrastructure?
The problem with audits of an implementation like PeopleSoft is that you can't just audit and conduct penetration testing against the application itself. The application consists of network resources, servers, software, people and the interaction of all the pieces to deliver the application in an efficient and secure manner.
The order in which the audit and penetration test is conducted is important. Understanding the entire process, interaction and flow, in my opinion, is the primary and most important step. You can't rely on the network guys to determine correct firewall port configurations. They're just going to do what the application architects ask of them. Nor can you tell the systems administrators how to lock down the systems properly without first knowing how the entire process works.
Operation Overview
We first met with the application folks and had them walk us through the entire system's operation. We covered everything from authentication to how the Web servers, application servers and database servers communicate with one another. We asked what ports were necessary between each
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
