Security Testing and Vulnerability Management Process. e-governance

Transcription

1 Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

2 Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11

3 Tablle off Conttentts 1. INTRODUCTION SCOPE PURPOSE PENETRATION TESTING PENETRATION TESTING PROCESS VULNERABILITY MANAGEMENT PROCESS FREQUENCY METHODOLOGY...7 Phase-1: Scoping and Communication... 8 Phase-2: Vulnerability Scanning... 8 Phase 3: Extraction of Reports... 9 Phase 4: Removal of False Positives... 9 Phase 5: Final Report Generation... 9 Phase 6: Tracking Closure of Vulnerabilities... 9 Roles and Responsibilities Matrix for Vulnerability Assessment ANNEXURE For Internal Use Only Page 3 of 11

4 1. INTRODUCTION Security Testing and Vulnerability management encompasses measures taken to review the output from the application from the perspective of application security. The review of the outputs from penetration testing is done in alignment with the updates and recommendation from OWASP (Open Web Application Security Project) as well as WASC (Web Application Security Consortium). The review is also done in compliance with the e- Gov Security Policy. Vulnerability is a flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems. A vulnerability assessment exercise identifies and categorizes all declared vulnerabilities but doesn t permits exploits, whereas penetration testing allows for exploitation of all vulnerabilities found by assessors. 2. SCOPE This process is applicable for all hosted applications in datacenters across all locations where information of e-gov service delivery is processed and/or stored within the application. 3. PURPOSE The objective of creating the vulnerability assessment process is to christen a formal methodology document for conducting vulnerability assessment critical systems; thereby pro-actively discovering to what extent the security of Information systems is threatened by attacks and whether the security measures in place are currently capable of ensuring Information security. This process will address the vulnerabilities before they can be exploited to compromise company resources. The process will end up providing For Internal Use Only Page 4 of 11

5 recommendations for closure of identified vulnerabilities and minimizing loss of confidentiality, integrity and availability of data. 4. PENETRATION TESTING Penetration testing primarily targets the application security mechanisms (e.g., cryptography, data validation, and authentication) implemented in the identified application. The attacks that are tried out during the testing includes OWASP Top 10 vulnerabilities: as well: o Un-validated Input o Broken Access Control o Broken Authentication and Session Management o Cross Site Scripting (XSS) Flaws o Buffer Overflows o Injection Flaws o Improper Error Handling o Insecure Storage o Denial of Service o Insecure Configuration Management On identification of vulnerabilities are reported and prioritized on the basis of impact and likelihood. A timeline is defined by the application Owner for closure of each of the vulnerabilities identified. In case of the remediation being infeasible the risks should be minimized and the residual risks should be documented over with a sign off. For Internal Use Only Page 5 of 11

6 Example: IBM Rational Appscan tool is used for automated penetration testing. Vulnerabilities so found are reviewed manually before publishing the report and sharing with Application owner. Thick client application penetration testing is carried out manually. 5. PENETRATION TESTING PROCESS Penetration testing is to be carried out by any STQC empanelled auditor. In this document we shall be referring to the same as PT (Penetration testing) team. Penetration testing Application CISO PT team Owner Start PT team asks or detail of Pre-prod and test environments Preprod/ Test environ ment Perform port scanning of application Manually validate test findings Generate and share report with App owner PT Report Validate the evidences to confirm fix of vulnerabilities Fix the vulnerabilities and share the evidences with PT Team Stop PT Report Reviews PT report and seeks clarification from PT team if required. a. PT team asks for the details required to initiate the penetration testing. The details include: o Application URL in pre-prod/test environment o Minimum two user credentials (1 administrative level access, 1 normal user) o Any sensitive URLs that are out of scope b. Application Owner ensures that application is stable enough and all the functionalities are working. For Internal Use Only Page 6 of 11

7 c. PT team requires at least 3-4 days for completing penetration testing. d. Port scan is carried out on pre production environment. The findings reported by tool are documented in the final Penetration Testing report which is shared with Application Owner. Automated Penetration Testing is carried out on the application. On completion of the automated testing, manual validation of vulnerabilities is carried out. e. Report is created for the vulnerabilities found and shared with Application Owner. The vulnerabilities are classified and rated High, Medium and Low according to their severity. Severity is categorized based on impact, likelihood and results of tool output. Refer annexure for PT Report template. f. Security gaps are worked on by the concerned team and necessary changes are incorporated to secure the application/environment. g. Application team shares evidence supporting closure, h. PT team then reviews the response and close the observations based on the evidence shared by Application team. If any discrepancy is observed, PT team gets back to Application team to seek clarifications. i. Final Closures are to be approved by CISO. 6. VULNERABILITY MANAGEMENT PROCESS 5.1 FREQUENCY The frequency for Vulnerability assessment cycle is annually. The full cycle covers end to end process staring from Scoping of devices to the closure tracker on scanned devices. 5.2 METHODOLOGY Following diagram depicts the methodology for Vulnerability Management. For Internal Use Only Page 7 of 11

8 Phase-1: Scoping and Communication The scoping and communication phase of vulnerability management comprise the following: Approved list of selected devices for which vulnerability assessment is to be carried out; Approved vulnerability assessment end to end plan Suitable dates for carrying out vulnerability assessment; Time slots for vulnerability assessment; and Communication of final dates and time slots to all stakeholders. Phase-2: Vulnerability Scanning In this phase an attempt is made to determine the existence of known vulnerabilities and to discover if any weak configuration settings are in use/set for the internal systems/devices. This is accomplished by using a tool based vulnerability scanning method. For Internal Use Only Page 8 of 11

9 Phase 3: Extraction of Reports In this phase, the team conducting vulnerability assessment collects the output of vulnerability assessment from all relevant remote VA servers and extracts individual vulnerability data items. The information provided by vulnerability assessment about the target host includes, but not limited to the following. OS version, open ports, active services, Protocol etc. Vulnerabilities and rating of vulnerabilities risk Remediation steps Phase 4: Removal of False Positives The objective of this phase shall be to weed out any false positives appearing in the output of VA tools. These false positives may involve: Wrong reporting for existence of a vulnerability that may not be applicable to the target environment / host Highlighting a configuration setting that is required for business purpose and the risk is acceptable or is mitigated by other measures Reporting a service/open port which is actually not running/open The execution of this phase may involve the need to have administrative privileges on the system/device under VA scope. Phase 5: Final Report Generation In this phase, the output of VA tools is used to formulate a management report for presenting to the key management representatives. This report presents an overall summary of VA findings and also consists of the detailed vulnerability observations. Refer Annexure for VA report template. Phase 6: Tracking Closure of Vulnerabilities Tracking the closure of identified vulnerabilities plays a very important role in the vulnerability management process. Once the report containing a final set of vulnerabilities is generated and For Internal Use Only Page 9 of 11

10 handed over to CISO; closure tracking needs to be done so that every critical-vulnerability is patched, remediation steps are followed and operating systems are hardened. Roles and Responsibilities Matrix for Vulnerability Assessment The roles and responsibilities matrix for accomplishing the tasks for conducting vulnerability management is given hereunder: Role Team lead- Data center Operations Team Member- VA Infra and Operations Team Composite Team- Security Responsibility Team lead - VA has the overall responsibility for ensuring that VA objectives are met. Responsibilities include: Maintaining VA measurements for reporting Ensuring proper implementation of Vulnerability Management Process Analyze trends and compliance thresholds Establish thresholds and exception (alerts) reporting procedures Implement approved VA process changes according to requirements Managing the VA Team resources Creation of VA Cycle Audit Plan Ensuring availability of all resources (people and technical) before every VA cycle Team member - VA has responsibility for providing support to the Team lead for VA activities. Specific responsibilities include: Provide technical support and advise to address VA gaps closure issues Performing VA Audit on selected devices as per the plan Create management report on the basis of VA report and take sign-off on the same from relevant business representatives Advise the VA Team Lead of any required system configuration or modifications to meet VA objectives Provide Sign-Off on the Audit Plan Implement recommendations in the VA report as per set schedule Identify false positives from the tool report Raise change management requests for implementing patches / vulnerability closure recommendations Submit closure status to Composite team - Security on a weekly basis Provide the approved breakup plan for annual phases of vulnerability audits Drive closure for identification of target devices For Internal Use Only Page 10 of 11

11 CISO Role Responsibility Track the closure of vulnerabilities found as per required frequency Provide feedback for improvisation of VA process Provide Sign-Off on the Management Report Provide management support to achieve set objectives for the success of VM process 7. ANNEXURE PT report.xlsx VA report.xlsx PT Indemnity Agreement.doc For Internal Use Only Page 11 of 11