It is not a question whether or not your company will be attacked, but rather how often. If your protection plan is built solely around information systems and networks, your business processes and people may be more vulnerable than you think. Insurance covers the direct cost of fixing the damage, but not the loss of credibility. If you only deal with the consequences you may leave yourself vulnerable for further attacks. If you don’t know what has been stolen and how, it will be hard to fix things.
At Nixu we notice at times that there's a disconnect between the two technical parties in a security assessment: the developer and the security specialist. In this blog post we want to write a guide for any non-security IT professional, or even for those who are well versed in security, about how to prepare for a security assessment done for your application or system.