Page 44 - ITGC_Audit Guides
P. 44

From the architecture perspective, the web server usually “talks” to an application server that
                   performs the application’s major functions. The application server interfaces with the database
                   where information is stored, which is usually housed in a database server. Based on the
                   application, database servers may contain sensitive or critical information related to the
                   application (e.g., credit card information, health information, or a user’s personal information), and
                   therefore must be secure and appropriately access-controlled. This database resides in the inside
                   network, inaccessible from the internet for control and security purposes. Only the application
                   server can connect to the database, and only the web server can connect to the application
                   server through a secure connection, as shown in Figure 17.

                     Figure 17: Typical Web Application Architecture





                                    Internet

                    Computer                      Web      Application   Database
                                                  Server     Server     Server







                     Source: The Institute       Images,   Web Apps     Data
                     of Internal Auditors         Pages

                   In many organizations, the web application architecture will also include a web application firewall
                   (WAF, as shown in Figure 14), to identify, detect, and prevent web application attacks such as
                   SQL injection or cross-site scripting (XSS). Such attacks may be successful if a web application
                   running on a web server is not coded securely. Rather than reviewing all web applications, an
                   organization can deploy a WAF to prevent the web application attacks.

                   Application Program Interfaces (APIs) and Web Services
                   APIs and web services are pieces of code designed to interface with other pieces of code and
                   describe how two applications communicate. These allows an organization’s applications to
                   interact with other applications within or outside the organization. Accordingly, web and mobile
                   applications rely heavily on both web services and APIs. One main differentiator between an API
                   and a web service is that APIs work with a variety of communication protocols. Because these
                   interfaces can be critical to an organization’s business functions, the organization should
                   inventory all APIs and web services in use. The uses should be a part of API documentation, and
                   APIs should be included in an organization’s patch management process.

                   Internal Applications
                   Internal-facing applications are primarily accessed through an organization’s internal network or
                   via their VPN. Only users signed on to the internal network can access these applications. In this
                   case, the typical architecture comprises an application server, a database server, and a
                   database. The architecture is usually less complex compared to a web application.







                   36 — theiia.org
   39   40   41   42   43   44   45   46   47   48   49