G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Transcription

1 G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service 1

2 Table of contents 1. Scope of our services Approach... 4 a. HealthCheck Application Scan... 4 b. Bronze Application Scan... 4 c. Silver Application Scan... 4 d. Gold Application Scan Assets and tools Expected Outcomes Pricing Contacts About Accenture

3 1. Scope of our services This document describes Accenture s Web Application Security Scanning as a Service, and should be read in conjunction with the associated Government Cloud IV Services documentation. The service is provided through the Accenture Cloud Platform (ACP), providing enterprise-ready cloud services for clients. ACP is described in more detail within Accenture s IaaS Services. The Web Application Security Scanning as a Service is a real time, cloud-driven solution that inspects an application's security posture to discover vulnerabilities. The service helps clients to request an on-demand security review of their Internet-facing web applications at any point in the development, testing or production processes. Customers subscribe to a scanning package for specific applications, with each package consisting of security tests with selectable testing depth, frequency and results analysis. Our service assists customers through tasks ranging from running the application scans to understanding the vulnerabilities, as well as remediation options and implementation support. The service includes the following features: On-demand initiation of web application scanning for entire application portfolio, with scanning choices to match different risk levels and compliance requirements Best in class automated application security scanning, powered by Cenzic, an Enterprise class provider of Dynamic Application Security Testing products Accenture's Assisted scanning provides dedicated support for scan execution and reporting by skilled threat and vulnerability management practitioners Accenture's Advanced support option offers false positives removal as well as security strategy, architecture, planning and remediation assistance Regularly performing automated web application security assessments is considered an initial step towards an increased application security confidence. To complement this, Accenture offers a comprehensive set of one-off application and infrastructure security testing services Accenture s experience of delivering Security Services for clients globally has been streamlined into a recommended operating model called Threat and Vulnerability Management Capability. This TVM capability offers a complete spectrum of services that can be adapted to fit and build on the security maturity of any organisation. These optional services include: Vulnerability Scanning Security Reviews in the Software Delivery Lifecycle Source code analysis Penetration testing Configuration review Social Engineering 3

4 Furthermore, Accenture also provides a set of Managed Services that complement the Web Application Security as a Service Model, such as: Application Security Operations Security monitoring and reporting Infrastructure Security Management IT Risk and Compliance User and Identity Administration 2. Approach Accenture delivers TVM services based on a standardised, common method. This helps confirm efficiency, repeatability and solid delivery whether you want to implement or operate a Capability or run an independent assessment. Accenture s TVM assessments allow clients to configure a custom package depending on the required scope. Various engagement levels are available depending on the threat environment and risk profile of the assets to be tested. This service allows users to perform security vulnerability assessment scans against web applications. Each application requires its own subscription, which allows flexibility in the assessment depth and level of support provided. Accenture Cloud Platform (ACP) clients can select from several different options. Application Scans The cornerstone of the service is comprised of four types of subscriptions differentiated by the depth of testing and type of applications covered. Each subscription option provides services focusing on scan coverage, typical usage and the associated benefits. a. HealthCheck Application Scan The Healthcheck Application Scan helps the client to assess the security posture immediately and at no charge by checking for a limited number of application related vulnerabilities. This service should be leveraged as the initial step towards a stronger security posture with no capital investment required. The scan should be applied to all applications regardless of their business criticality or operational importance. b. Bronze Application Scan The Bronze Application Scan focuses purely on basic vulnerabilities most often exploited by hackers in relation to the running application. However, web server configuration vulnerability checks are limited with this service. The results will provide greater insight into website security posture and how much effort needs to be completed in order to improve web application security. The scan may be applied to every application regardless of its business criticality or operational importance. c. Silver Application Scan The Silver Application Scan is a more robust website test that finds the most common defects that lead to a data breach and brand damage and also focuses extensively on web server vulnerability checks. The result of a Silver Application Scan will provide more insight into web server configuration aspects as well as web application issues related to malicious file inclusions or unwanted data extractions. The scan should be applied for web applications with content that has been identified to increase value for the company. 4

5 d. Gold Application Scan The Gold Application Scan is a comprehensive service combining tests from both the Bronze Application and Silver Application Scan. Also, there are additional evaluations regarding input validation, credentials handling and transmission and checks to uncover potential areas for application data leakage. The results of the Gold Application Scan will provide a comprehensive information an automated scanning tool can deliver and will help the client to receive a final report in a PCI 6.6 or OWASP Top compliant reporting format. This is critical for clients where PCI or OWASP standard compliance is required. The Gold Application Scan as part of our scanning solution is on the list of officially approved PCI scanning approaches. The Gold scan should be applied for web applications with content that already has significant value for the company. Figure 1 Subscription applicability pyramid % of Vulnerabilities and Application tested Depicts the coverage/amount of vulnerability checks and extent to which the application is tested Risk Depicts the risk for the company if a particular application gets compromised Application Security Level Communicates that the more important the application is the more robust testing should be executed Assisted Standard Scanning The Assisted Standard Scan connects the client with an Accenture Security Practitioner who is part of the Accenture Threat & Vulnerability Management team for consuming the cloud-based security scanning service. The Accenture Security Practitioner will leverage the scanning portal to deliver the service on behalf of the client and will provide on-boarding support, scan execution and raw reporting. Additionally, the resource will be responsible for billing the client for labour hours following standard Accenture time reporting procedures. The scan is tailored to support clients that have an established skill set for remediation of identified vulnerabilities but are seeking assistance with on-boarding and execution to help them to focus on potential vulnerability mitigations. This support model will also increasingly save the client s time in scenarios where large quantities of applications are to be submitted and assessed. All operations on the scanning interface will be handled by the Accenture TVM Team. Assisted Advanced Scanning The Assisted Advanced Scan support model derives from the Assisted Standard Scan model and introduces additional features that further off-load components of the remediation process that would normally be the sole responsibility of the client. The scan provides additional support, specifically in the area of reporting. The Accenture TVM Team will assist the client to define remediation priorities, clear out false positive findings, and 5

6 provide remediation suggestions and a remediation roadmap. The scan is tailored to clients that seek support in the on-boarding, execution and remediation phases. Service Deliverables Depending on the support model selected, the following deliverables are provided: Raw scanning results Formatted executive summary with prioritised findings Detailed prioritised findings report Prioritised remediation recommendations Remediation roadmap 3. Assets and tools Accenture s accelerator assets and delivery methodologies around risk and threat analysis, vulnerability testing, penetration testing and vulnerability remediation management underpin this cloud based offering and bring the Accenture efficient delivery excellence to every project. Alongside these methods, the web application scanning tooling brings immediate potential benefit and security assurance from day one. Accenture s Threat & Vulnerability Management advisors focus on how to deliver the most precise results and provide valuable remediation feedback to the client to assist in increasing security confidence at any point in time. Accenture has integrated this cloud-based dynamic web application scanning solution into the Accenture Cloud Platform a cloud service broker platform to help decrease the time to client value for cloud services. 4. Expected Outcomes Security is undoubtedly one of the most important and discussed topics today. Web Application Security Scanning as a Service (WASSaaS) aims to improve confidence in web application security by providing a solution that: Requires low capital investment A cloud-based approach to the solution lowers the investment requirements. The pay-as-you-go model enables the use of WASSaaS on an ad-hoc basis or periodically in defined intervals without the need to host the scanning servers, maintain the datacentre space or maintain scanning solution updates. Provides commercial flexibility/custom scan requirements Client can tailor and consume their security scans via a self-service model. Each per application subscription can be different in order to comply with client needs and requirements. Eliminates client staffing needs No additional client-based resources are needed. Typically, for web application testing engagements the client will require skilled web application testers for scan execution and operations workforce to maintain and upgrade the scanning solution. Instead of constantly maintaining these resources, WASSaaS enables the client to stay focused on securing web applications. Provides scalability Scanning subscriptions offer four different levels with regards to the depth (number of checks) of scanning. This allows the client to select the appropriate subscription for the application to reflect the application s 6

7 business criticality and operational importance. Additionally, the client can use the Assisted Standard support model (See section 2.2) or the Assisted Advanced support model (See section 3.1) to engage with Accenture s Threat & Vulnerability Management (TVM) experts who can provide further scanning assistance and guidance. Offers compliance Accenture s WASSaaS solution can help organisations seeking PCI and OWASP compliance. For business critical applications where the most robust subscription is recommended, we are able to provide a PCI 6.6 and OWASP Top Ten 2010 compliant reports. The scanning engine in use is on the list of the PCI officially approved application scanners (See section 4.4). Example: A large telecommunications client lacked application security testing capabilities internally. No budget was available for a large application security program. Business challenges: - Requirement for testing internet facing applications, authenticated (including web and mobile applications) - Application Security testing is seen as a requirement following security issues, and a measure of the security is made internally by the compliance of applications to the OWASP standard - One application with PCI compliance requires PCI compliance scans - Advanced security testing (design review and penetration tests) to be performed on top of the standard Web Application Security Scanning as a Service security checks for the most critical applications Approach: - Selected the Cloud solution to perform scans, to benefit from low deployment and running costs - Generated vulnerability reports for technical teams, as well as standard and compliance reports for internal OWASP compliance and external PCI certification maintenance - The Accenture TVM team provided advanced reporting with False Positives removal as well as remediation assistance for the vulnerabilities reported Results - Client was able to get cost-effective point in time security results without a need for long negotiations, onboarding or contracting obstructions. - Client received list of suggested improvements giving ability to implement new controls and increase the security maturity of the solution in a meaningful and systematic way. - Client was able to get the assets re-tested as it was progressed with the remediation work for a fraction of the subscription price. This enabled actual view on whether the implemented controls successfully mitigated the particular vulnerability. 5. Pricing Please refer to the associated Pricing Document relevant for this Service. 7

8 6. Contacts Simon Mitchell (Accenture Health & Public Services Sales Lead) Telephone: Daniel W. Mellen (Offering Development Lead, Accenture Cloud Services Security) Telephone: About Accenture Accenture is a global management consulting, technology services and outsourcing company, with approximately 269,000 people serving clients in more than 120 countries. Combining excellent experience, comprehensive capabilities across all industries and business functions, and extensive research on the world s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$27.9 billion for the fiscal year ended Aug. 31, We have five industry-focused Operating Groups (OGs) including Health & Public Service, Communications Media & Technology, Financial Services, Products and Resources and these are supported by three Growth Platforms: Management Consulting, Technology and Outsourcing. 8

9 Copyright 2013 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Copyright 2012 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. 9