GOVERNMENT OF MAHARASHTRA



Similar documents
Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Security Testing & Load Testing for Online Document Management system

05.0 Application Development

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Inviting Tender from Cert-In empanelled agencies for Conducting Load and Security Testing of Web application of UPSDM

Overview of the Penetration Test Implementation and Service. Peter Kanters

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Rational AppScan & Ounce Products

Magento Security and Vulnerabilities. Roman Stepanov

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Columbia University Web Security Standards and Practices. Objective and Scope

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Web Application Report

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

Passing PCI Compliance How to Address the Application Security Mandates

Web application security

Adobe Systems Incorporated

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Security Testing and Vulnerability Management Process. e-governance

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

(WAPT) Web Application Penetration Testing

Where every interaction matters.

Attack Vector Detail Report Atlassian

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Reducing Application Vulnerabilities by Security Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

The Top Web Application Attacks: Are you vulnerable?

How To Ensure That Your Computer System Is Safe

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

External Supplier Control Requirements

Executive Summary On IronWASP

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

white SECURITY TESTING WHITE PAPER

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Table of Contents. Page 2/13

Columbia University Web Application Security Standards and Practices. Objective and Scope

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Cloud Security:Threats & Mitgations

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Thick Client Application Security

GOVERNMENT OF MAHARASHTRA

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web application testing

MANAGED SECURITY TESTING

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Intrusion detection for web applications

OWASP Top Ten Tools and Tactics

Strategic Information Security. Attacking and Defending Web Services

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Early Vulnerability Detection for Supporting Secure Programming

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

How To Write A Web Application Vulnerability Scanner And Security Auditor

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Development Processes (Lecture outline)

State of Web Application Security

OWASP AND APPLICATION SECURITY

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

PCI-DSS 3.0 AND APPLICATION SECURITY

Learning objectives for today s session

PCI Security Standards Council

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Addressing Cyber Security in Oracle Utilities Applications

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Web Application Penetration Testing

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Are you fighting new threats with old weapons? Secure your Web applications with Web Application Firewalls.

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Web application vulnerability statistics for

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

IJMIE Volume 2, Issue 9 ISSN:

Pentests more than just using the proper tools

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

What is Web Security? Motivation

Using Free Tools To Test Web Application Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Pentests more than just using the proper tools

Transcription:

GOVERNMENT OF MAHARASHTRA DIRECTORATE OF INFORMATION TECHNOLOGY GENERAL ADMINISTRATION DEPARTMENT 7 th Floor, Mantralaya, Mumbai-400 032 DIT 2012/CR 188/39 Dated: 5 th July, 2012 Addendum I: With effect from 1 st September, 2012, four agencies (Digital Age Strategies Pvt Ltd, IDBI Intech, Torrid Networks, Vista InfoSec Pvt Ltd) have been removed from the DIT, Govt of Maharashtra Empanelment as per revised list of CERT-In Below is the DIT, GoM empanelled agencies list effective 1 st September, 2012 To, Agency Name Contact Person 1 Name, Email, Number Mr. Ashish Kumar Saxena, ashish@aksitservices.co.in, 09811943669 AKS Information Technology Services Pvt Ltd Cyber Q Consulting Pvt Ltd Ms. Anita Upadhyay, anita.upadhyay@cyberqindia.com, 09873251240 Contact Person 2 Name, Email, Number Mr. Vivek Verma, vivek.verma@aksitservices.co.in, 09899357568 Mr. Debopriyo Kar, debopriyo.kar@cyberqindia.com, 9810033205 Deloitte (DTTIPL) KPMG STQC Mr. Shree Parthasarathy, sparthasarathy@deloitte.com, 9871722243 Mr. Anil Sahore, anils@kpmg.com, 8652207020 Shri Gautam Pal, gpal@stqc.nic.in, 9326825625 Mr. Maninder Bharadwaj, manbharadwaj@deloitte.com, 9972237001 Ms. Revati Mujumdar, Revati@kpmg.com, 9260784941 Mr. Himadri Roy, itpune@stqc.nic.in, 020-25459514 Subject: Empanelment of Agencies for Security Audit of Websites and Applications Valid till 4 th July 2013 or until valid empanelment of CERT-In whichever is earlier. Reference: Directorate of Information Technology EoI No: DIT 2012/CR 188/39 for Empanelment of Security Audit Agencies Dear Sir/Madam, You are hereby informed that based on the evaluation of bids received for EoI for Empanelment of Security Audit Agencies, your organization has been empanelled by Government of Maharashtra. Guideline for departments on selection of agency is given in Schedule- A. The scope of work to be carried out as part of security audit is given in Schedule- B. Term and conditions of empanelment is given in Schedule C. Government of Maharashtra Page 1

Schedules annexed 1. Schedule - A Guideline for department on selection of agency 2. Schedule - B The scope of work to be carried out 3. Schedule - C Terms and condition of Empanelment Yours Sincerely, -Sd- Director IT GAD, Government of Maharashtra Government of Maharashtra Page 2

Schedule- A Guideline for department on selection of agency Security Audit of website or application is essential before Go Live. All the applications hosted in SDC as on 5 th July, 2012 will be audited by DIT and findings will be sent to the application owner for corrective action. Security Audit is mandatory for any new application or website developed by the department. As part of large projects if STQC certification is to be done then security audit may be skipped. The empanelled agencies will only conduct Security Testing. Other tests like functional testing, load testing, etc will not be in the scope of work for the empanelled agencies. Limited RFP DIT has empanelled the above mentioned agencies based on the technical evaluation of response to EoI. However, the cost of security audit depends on the scope of work and the type of application or website to be tested. Hence a limited RFP may be floated by the indenting department among the empanelled agencies with scope of work and application/website details, to discover the commercial for the activity. Based on the bids received the L1 agency may be selected. Payment Milestone Payment should be linked to delivery of audit report with details of corrective action and compliance review. 50 % payment may be released based on audit report and support to development team for removing the vulnerabilities. Remaining 50% may be released after completion of compliance audit and ensuring that vulnerabilities are resolved. Schedule B Scope of work and deliverables Scope of security audit for Web or browser based application and Website The agency may cover below mentioned tests for the application or website provided for testing: 1. Application Security Audit 2. Penetration Testing 3. Vulnerability Testing 4. Database Server Controls 5. Physical Access Control 6. Network security Review as part of Application Security 7. Compliance Review Government of Maharashtra Page 3

Black box testing for Security Audit should follow OWASP guidelines covering but not limited to the below: 1. Cross-site scripting (XSS) 2. Injection flaws, particularly, SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws. 3. Input Validation flaws 4. Malicious file execution 5. Insecure direct object references 6. Cross-site request forgery (CSRF) 7. Information leakage and improper error handling 8. Broken authentication and session management 9. Insecure cryptographic storage 10. Insecure communications 11. Failure to restrict URL access 12. Denial of Service Scope of security audit for Desktop based application 1. Test user s rights and roles-authorized person should allow to login 2. Test security of data or information stored in application 3. Role based Security (Privilege Escalation) 4. Authentication Bypass or Unauthorized Access 5. Improper Error handling 6. Buffer Overflow 7. Denial of Services 8. Insecure Communications 9. Insecure Cryptographic Storage Below are some of the important points as part of deliverables: 1. The audit report provided by the agency should have details for corrective action and steps to remove identified vulnerabilities. 2. The agency should provide support to the development team for changes in coding to remove the vulnerabilities. 3. The support should include minimum of 1 day (per website or application) onsite training or handholding to the development team. 4. Compliance review should be done after ensuring that changes to remove the vulnerabilities are completed by the development team. 5. Compliance audit should be done not only to check for removal of previously identified threats but to ensure that the application or website has no vulnerabilities as a result of changes done in the code. Government of Maharashtra Page 4

Schedule C Terms and conditions of the Empanelment i. The agency will be removed from empanelment if due to any reason CERT-In has removed or not extended the empanelment of the agency. ii. The empanelled agency will not outsource any activity to other agency. iii. On failure of execution of any work awarded to the agency, the EMDs furnished for the empanelment will be forfeited. iv. The empanelled agency will maintain confidentiality of the findings of security audit and ensure that the findings and corrective actions are shared with concerned stake holders of the project. v. The empanelled agency will adhere to all the terms and conditions mentioned in the RFP floated by the indenting department Any violation of the above terms and conditions will lead to removal of agency from the Empanelment Government of Maharashtra Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information