Related pages Sovereign AI

Understanding the Spring Framework Evolution, Risks, and Audit Considerations** History & Evolution Released in 2003 by Rod Johnson as a lightweight alternative to Java EE. (Wikipedia - link) Evolved into a full ecosystem, including Spring Boot (2014) for simplified deployment, Spring Security, and Spring Cloud for microservices. Originally developed by Interface21, later acquired by SpringSource, then VMware. Widely used in enterprise applications, cloud services, and microservices. Audit Questions to Ask What versions of Spring and Spring Boot are in use? Are legacy Spring applications still maintained and patched? Is the team using official support channels, or relying on outdated third-party dependencies? Key Risks for In-House Development Dependency risks – Third-party libraries (e.g., Log4j) can introduce vulnerabilities. Security misconfigurations – Weak Spring Security settings may expose authentication flaws. Excessive complexity – Over-engineered architectures can hinder maintainability. Inconsistent coding practices – Lack of standardisation can create operational risks. Questions to Ask How does the team track and update dependencies? Are security configurations reviewed regularly? Are developers following a consistent architecture and coding standard? Audit & Governance Best Practices Use Software Composition Analysis (SCA) tools to monitor third-party dependencies. Implement secure CI/CD pipelines to enforce security checks before deployment, and maintain audit trail / ability to roll-back. Ensure strong access controls – Proper OAuth2 configurations, API gateways, and authentication reviews. Monitor Spring security advisories and enforce timely patching. Questions to Ask Does the organization use tools like Snyk or OWASP Dependency-Check for vulnerability scanning? Are secure coding practices enforced in CI/CD pipelines? How often are Spring applications tested for security weaknesses?

sqlmap is an open-source tool that is designed to detect SQL injection flaws in web applications. Further reading Top 8 penetration testing tools (Snyk Blog) SQLmap Tutorial (Hacker Target)

SS2/21 Outsourcing and Third Party Risk Management outlines the PRA’s expectations for managing risks associated with outsourcing and third-party arrangements, ensuring compliance, operational resilience, and the identification of key risks that may impact the organization’s internal control environment. (Published on 29 March 2021) Further reading Link to PRA website

The Standard of Good Practice for Information Security (SOGP), developed by the Information Security Forum (ISF), is a comprehensive information security framework that provides best practices and guidance for managing information security risks and ensuring resilient organisations. SOGP has been developed to be in line with similar industry frameworks. Further reading SOGP - ISF SOGP - Wikipedia

Static Application Security Testing (SAST) is a security testing method that involves scanning the source code or binary code of an application to identify vulnerabilities before the application is deployed to production.

Related pages Supervised fine-tuning (SFT)

Systems thinking is an approach to problem-solving that views problems as parts of an overall system, rather than reacting to specific parts, outcomes, or events. Further reading Systems-Thinking in Complex Audit Situations (2020) Using systems thinking to identify the right problem - APM Systems thinking is needed: How accountants drive ESG - AICPA Related pages Book - Thinking in Systems Interconnections Patterns Feedback loops

Further reading What Is Takaful Insurance and How Does It Work? - Investopedia

Tenable is a cybersecurity software company that specialises in vulnerability management and cyber risk management solutions. It was founded in 2002, initially gaining prominence with Nessus, an open-source vulnerability scanner designed to identify security weaknesses in networks, systems, and applications. Since then, Tenable has expanded its products to covver cyber risk, compliance monitoring, threat intelligence, and attack surface management. Tenable’s solutions are widely used across a range of industries, including finance, healthcare, government, and technology, with clients ranging from small businesses to large enterprises. ...

Key elements Types of testing Unit Integration System End-to-end (e2e) User Acceptance Testing (UAT) Non-functional - testing for objectives like performance of the system (speed, capacity), security, accessibility What gets testing / timeline Critical processes / critical flows, eg. authenticating, that transactions work as expected Prioritise high-risk or high-importance features early, allow time to fix defects Ownership of testing Developers - unit & integration tests QA teams - end to end & non-functional tests Business - UAT Tools Frameworks JUnit Cypress Automated testing with Postman CI/CD GitHub Actions Jenkins Azure DevOps Results dashboards & alerts Environments Dev, Test, Staging, Pre-Prod, Prod Test data strategy Quality Gates Release only if/when tests pass (agree coverage %, what is critical path) Risk-based testing: focus effort Metrics & Governance testing coverage defect leakage test pass rate regression testing (Youtube) Align with SDLC & audit/compliance needs

Related pages CISO BISO