Is an application health check worth it for your system?

In today’s world of increased cyber-security threats, we are often asked which measures are most practical to protect your web application. Primarily, there are a number of daily, weekly and monthly items that need to be monitored, checked and updated – most commonly these are managed via a monthly application support arrangement with your development partner.  

But what do you do if your third-party system is not under regular support and you discover a critical security or performance issue? Or perhaps you have concerns your application has not been properly maintained and is at risk? 

Our answer is almost always the same. A health check is very important if there’s any chance your system isn’t up-to-date across the infrastructure, database or application. 

Not only do the tests carried out identify security vulnerabilities that may pose a serious existential risk to your organisation, they also recommend steps you can take to improve the performance and resilience of your system. 

An application health check is a bit like an enhanced MOT for a car. It’s a series of tests of key functions, configurations, vulnerabilities and markers to ensure everything is working in an optimal and secure way. A report is produced and any recommended measures can be implemented as a next step. 

At OWA, we offer this service to clients wherever there are concerns over the security or performance of a system that has been developed by a third-party. With such fast-paced changes in the technology and the security landscape, it’s also a good thing to consider scheduling to fulfil your own organisational best practice.

Every web application is created differently, almost always with some customisation, meaning a health check also needs to be tailored specifically to your system. 

Depending on your individual application and requirements, our health checks may cover a range of activities, falling broadly across three main areas: infrastructure, database and application.

The following is a typical set of investigations we carry out in each of these three areas:

Infrastructure

• CPU – Does the hosting infrastructure have enough CPU (central processing unit) capacity for normal application usage? Is there enough for spikes due to high traffic / other processes? Is there a way of scaling CPU / compute resources either automatically or manually? Are resources overprovisioned? 
• Memory – Is the application regularly hitting infrastructure memory limits? Are limits hit during traffic spikes or other scheduled tasks? What happens when the application runs low on memory? Is the application making best use of the available memory or is it over provisioned?
• Storage – Is there enough diskspace available to run the application, and to manage any logs or assets stored here? Is storage sufficient for expected growth of the application and are there processes in place to provision additional storage if required? For cloud storage, for example AWS S3, is the correct type of storage being used and are the correct policies for security and retention being applied?
• Security – Are the servers and other infrastructure secured against unauthorised access? Is there a process to ensure vulnerabilities in server operating systems and components are patched in a timely manner? Are the server operating system and components still supported by their vendor and is there a procedure for dealing with this?
• Disaster recovery – Should the servers become unavailable – for example, due to power failure or vendor outage and so on – is there a plan to recover from this? Has it been tested to ensure it works?

Database

• Resources – Is the CPU, memory and diskspace configuration suitable for the current workload? Is it also suitable for future workload requirements or is there a way of scaling this?
• Query optimisation – Are certain database queries using most of the database server resources? Is one query run may times which would be better cached elsewhere? 
• Index optimisation – Does the database have the correct indexes set on it? Are there any queries which could be rewritten to make better use of indexes?
• Disaster recovery – Is the database backed up? If so how frequently and how quickly can it be restored? 

Application

• Logging – Are errors and security events being logged? Are these logs reviewed and acted on?
• Monitoring – Are aspects of the application’s availability – for example, page availability, load times and so on – checked? Is any monitoring configured to provide alerts when functionality is unavailable or degraded in some way?
• Security – Are there any known vulnerabilities in any of the application components? Does the application follow secure coding standards? 
• Languages / frameworks – Do the languages / frameworks used provide flexibility in terms of any expected growth or new features that are going to be developed? How well supported / how available is development resource for the languages / frameworks in place?

The above are just some of the investigations our technical team carries out when checking the health of your web application. Not only do these tests often reveal improvements that can be made to the performance and resilience of your system, they can also identify security vulnerabilities that may pose a serious risk to your organisation’s data. 

In all cases, following a comprehensive health check of your system, OWA produces a detailed report and sets out any recommended actions, which we can implement by arrangement.

Please feel free to get in touch if you’d like to talk to us about checking the security or performance of your system.