Total Tests:
This Week:
Today:

SOX Compliance and Application Security

It is a US Federal Law whose purpose is to impose robust integrity requirements for financial reporting and
accounting systems, and is applicable to all US public companies, international companies
traded in the US and accounting firms serving them.

SARBANES-OXLEY ACT OF 2002
[Public Law 107–204, Approved July 30, 2002, 116 Stat. 745]
[As Amended Through P.L. 112–106, Enacted April 05, 2012]

Sarbanes Oxley imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Holistic visibility and inventory of digital assets, web and mobile application security are an indispensable part of Sarbanes Oxley compliance process:

SEC. 404. [15 U.S.C. 262] MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS

(a) RULES REQUIRED — The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.


(b) INTERNAL CONTROL EVALUATION AND REPORTING—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer, other than an issuer that is an emerging growth company (as defined in section 3 of the Securities Ex-change Act of 1934), shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for at-testation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

ImmuniWeb® for Sarbanes Oxley Compliance

Application security and compliance for Sarbanes Oxley starts with holistic visibility of your digital assets, related risks and threats. You simply cannot protect what you don't know. Therefore, we recommend commencing your Sarbanes Oxley compliance efforts with IT asset discovery, inventory, classification and risk scoring. Our ImmuniWeb® Discovery leverages OSINT technology to rapidly detect your external web, mobile and cloud assets equipped with attractiveness and hackability scores. Based on our award-winning AI technology, ImmuniWeb Discovery will likewise provide you with a snapshot of your exposure in the Deep and Dark Web. Once completed, you are ready to start well-informed and risk-based application security testing for the purpose of Sarbanes Oxley compliance.

For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

For iOS and Android mobile apps and their backend (e.g. APIs or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite equipped with CVE, CWE reporting and CVSSv3 risk scoring. Its in-depth and rapid testing is based on OWASP Mobile Security Testing Guide (MSTG) and OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Mobile Top 10.

For most critical applications that directly impact your Sarbanes Oxley compliance we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code. It is equipped with CVE, CWE reporting and CVSSv3 risk scoring, its in-depth and rapid testing is based on OWASP Testing Guide (OTGv4), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR. The testing comprehensively covers full spectrum of security vulnerabilities from SANS Top 25 and OWASP Top 10.

What’s Next:

DISCLAIMER: The information provided on this website does not, and is not intended to, constitute a legal advice; instead, all information, content, and materials available on this website are provided for general informational purposes only.
Ask a Question